From owner-freebsd-security@FreeBSD.ORG Sun Oct 26 08:52:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E16E16A4B3 for ; Sun, 26 Oct 2003 08:52:23 -0800 (PST) Received: from magnesium.net (toxic.magnesium.net [207.154.84.15]) by mx1.FreeBSD.org (Postfix) with SMTP id A8FFA43FBD for ; Sun, 26 Oct 2003 08:52:22 -0800 (PST) (envelope-from unfurl@dub.net) Received: (qmail 32504 invoked by uid 1001); 26 Oct 2003 16:52:22 -0000 Date: 26 Oct 2003 08:52:22 -0800 Date: Sun, 26 Oct 2003 08:52:22 -0800 From: Bill Swingle To: "G. Panula" Message-ID: <20031026165222.GA31223@dub.net> References: <3F97BA17.8050403@lexisnexis.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline In-Reply-To: <3F97BA17.8050403@lexisnexis.com> User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD toxic.magnesium.net 5.1-RELEASE FreeBSD 5.1-RELEASE cc: freebsd-security@freebsd.org Subject: Re: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Oct 2003 16:52:23 -0000 --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 23, 2003 at 06:23:03AM -0500, G. Panula wrote: > Current behavior is encrypted packet is handled by ipfw once, then after= =20 > decryption it is only handled by ipfw(again) if it passes thru an=20 > interface didn't arrive on. Does this apply to ipfilter as well? -Bill --=20 -=3D| Bill Swingle - -=3D| Every message PGP signed -=3D| PGP Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 -=3D| "Computers are useless. They can only give you answers" Pablo Picasso= =20 --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/m/vGUgAclY4JAiMRAo51AJ91HRZbQnv1smz9LQJA2iIbpCtodACeOVmL v3paPTaEa0n1oq95QWtPppk= =5ON6 -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW-- From owner-freebsd-security@FreeBSD.ORG Sun Oct 26 23:31:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AC9516A4B3 for ; Sun, 26 Oct 2003 23:31:51 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41B2A43F75 for ; Sun, 26 Oct 2003 23:31:50 -0800 (PST) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.org (8.9.3/8.9.3) id AAA23485 for security@freebsd.org; Mon, 27 Oct 2003 00:31:46 -0700 (MST) Date: Mon, 27 Oct 2003 00:31:46 -0700 (MST) From: Brett Glass Message-Id: <200310270731.AAA23485@lariat.org> To: security@freebsd.org Subject: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 07:31:51 -0000 We're being ping-flooded by the Nachi worm, which probes subnets for systems to attack by sending 92-byte ping packets. Unfortunately, IPFW doesn't seem to have the ability to filter packets by length. Assuming that I stick with IPFW, what's the best way to stem the tide? --Brett Glass From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 00:02:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E1B316A4B3 for ; Mon, 27 Oct 2003 00:02:41 -0800 (PST) Received: from obsecurity.dyndns.org (adsl-63-207-60-234.dsl.lsan03.pacbell.net [63.207.60.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id C995A43F75 for ; Mon, 27 Oct 2003 00:02:40 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 9939F66E08; Mon, 27 Oct 2003 00:02:40 -0800 (PST) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 7A7BFDBC; Mon, 27 Oct 2003 00:02:40 -0800 (PST) Date: Mon, 27 Oct 2003 00:02:40 -0800 From: Kris Kennaway To: Brett Glass Message-ID: <20031027080240.GA9552@rot13.obsecurity.org> References: <200310270731.AAA23485@lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN" Content-Disposition: inline In-Reply-To: <200310270731.AAA23485@lariat.org> User-Agent: Mutt/1.4.1i cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 08:02:41 -0000 --J/dobhs11T7y2rNN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote: > We're being ping-flooded by the Nachi worm, which probes subnets for > systems to attack by sending 92-byte ping packets. Unfortunately, > IPFW doesn't seem to have the ability to filter packets by length. > Assuming that I stick with IPFW, what's the best way to stem the > tide? Block all ping packets? Most security-conscious admins do this anyway. Kris --J/dobhs11T7y2rNN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/nNEgWry0BWjoQKURAtthAJ4gTe6CHlnlpBh6U9wB/xP3mdlQPgCggN/L 5fHSG5lqIIcbEOhS+det7XE= =7djy -----END PGP SIGNATURE----- --J/dobhs11T7y2rNN-- From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 00:06:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 221AE16A4B3 for ; Mon, 27 Oct 2003 00:06:57 -0800 (PST) Received: from irc.dagupan.com (irc.dagupan.com [202.91.161.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id F372743F85 for ; Mon, 27 Oct 2003 00:06:55 -0800 (PST) (envelope-from francisv-sender-21ebc3@irc.dagupan.com) Received: by irc.dagupan.com (Postfix, from userid 1022) id AB1B11DEBF8; Mon, 27 Oct 2003 16:06:50 +0800 (PHT) Received: from irc.dagupan.com (localhost [127.0.0.1]) by irc.dagupan.com (Postfix) with ESMTP id A9D2D1DEBE2 for ; Mon, 27 Oct 2003 16:06:49 +0800 (PHT) Received: from hopper (hopper.dagupan.com [202.91.161.143]) by irc.dagupan.com (tmda-ofmipd) with ESMTP; Mon, 27 Oct 2003 16:06:47 +0800 (PHT) To: Date: Mon, 27 Oct 2003 16:06:44 +0800 X-Mailer: Microsoft Office Outlook, Build 11.0.5329 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcOcYNnjE/Gm3ZmZSza98OT8fOug3wAACaOQ In-Reply-To: <20031027080240.GA9552@rot13.obsecurity.org> From: "Francis A. Vidal" Message-ID: <1067242009.66521.TMDA@irc.dagupan.com> X-Delivery-Agent: TMDA/0.80 (Determine) X-Spam-Status: No, hits=1.8 required=5.5 tests=BAYES_30,EMAIL_ATTRIBUTION,FORGED_MUA_OUTLOOK, FROM_HAS_MIXED_NUMS,IN_REP_TO,MISSING_OUTLOOK_NAME, QUOTED_EMAIL_TEXT,REPLY_WITH_QUOTES version=2.55 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) X-Sanitizer: Secured by Bitstop Network Services MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: RE: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Francis A. Vidal" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 08:06:57 -0000 Wouldn't it break stuff like traceroute? -----Original Message----- From: Kris Kennaway [mailto:kris@obsecurity.org] Sent: Monday, October 27, 2003 4:03 PM To: Brett Glass Cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote: > We're being ping-flooded by the Nachi worm, which probes subnets for > systems to attack by sending 92-byte ping packets. Unfortunately, > IPFW doesn't seem to have the ability to filter packets by length. > Assuming that I stick with IPFW, what's the best way to stem the > tide? Block all ping packets? Most security-conscious admins do this anyway. Kris From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 00:11:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37F2916A4B3 for ; Mon, 27 Oct 2003 00:11:14 -0800 (PST) Received: from tx0.oucs.ox.ac.uk (tx0.oucs.ox.ac.uk [129.67.1.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id A688643FBD for ; Mon, 27 Oct 2003 00:11:12 -0800 (PST) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan0.oucs.ox.ac.uk ([129.67.1.162] helo=localhost) by tx0.oucs.ox.ac.uk with esmtp (Exim 4.20) id 1AE2T1-0007Ij-Fa for freebsd-security@freebsd.org; Mon, 27 Oct 2003 08:11:11 +0000 Received: from rx0.oucs.ox.ac.uk ([129.67.1.161]) by localhost (scan0.oucs.ox.ac.uk [129.67.1.162]) (amavisd-new, port 25) with ESMTP id 27762-07 for ; Mon, 27 Oct 2003 08:11:11 +0000 (GMT) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx0.oucs.ox.ac.uk with smtp (Exim 4.20) id 1AE2T1-0007IW-1j for freebsd-security@freebsd.org; Mon, 27 Oct 2003 08:11:11 +0000 Received: (qmail 8480 invoked by uid 0); 27 Oct 2003 08:11:11 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 0.97428 secs); 27 Oct 2003 08:11:11 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 0.97428 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 27 Oct 2003 08:11:10 -0000 Message-Id: <5.0.2.1.1.20031027080917.020dd378@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Mon, 27 Oct 2003 08:11:07 +0000 To: "Francis A. Vidal" , From: Colin Percival In-Reply-To: <1067242009.66521.TMDA@irc.dagupan.com> References: <20031027080240.GA9552@rot13.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: RE: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 08:11:14 -0000 At 16:06 27/10/2003 +0800, Francis A. Vidal wrote: >Wouldn't it break stuff like traceroute? Traceroute is fine -- it uses UDP packets. Tracert, on the other hand, uses ICMP echo request packets, and it suffers. I'm currently on a university network, and when there are connectivity issues (which seems to be quite often) I get very annoyed with the ICMP filtering. Colin Percival From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 00:22:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F71516A4B3 for ; Mon, 27 Oct 2003 00:22:30 -0800 (PST) Received: from irc.dagupan.com (irc.dagupan.com [202.91.161.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33E6843FAF for ; Mon, 27 Oct 2003 00:22:29 -0800 (PST) (envelope-from francisv-sender-21ebc3@irc.dagupan.com) Received: by irc.dagupan.com (Postfix, from userid 1022) id F0CF31DEBF8; Mon, 27 Oct 2003 16:22:27 +0800 (PHT) Received: from irc.dagupan.com (localhost [127.0.0.1]) by irc.dagupan.com (Postfix) with ESMTP id 031831DEBE2 for ; Mon, 27 Oct 2003 16:22:27 +0800 (PHT) Received: from hopper (hopper.dagupan.com [202.91.161.143]) by irc.dagupan.com (tmda-ofmipd) with ESMTP; Mon, 27 Oct 2003 16:22:26 +0800 (PHT) To: Date: Mon, 27 Oct 2003 16:22:22 +0800 X-Mailer: Microsoft Office Outlook, Build 11.0.5329 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcOcYeppTGEWPa6eQeids4L7rC3bTwAAXA+w In-Reply-To: <5.0.2.1.1.20031027080917.020dd378@popserver.sfu.ca> From: "Francis A. Vidal" Message-ID: <1067242946.66995.TMDA@irc.dagupan.com> X-Delivery-Agent: TMDA/0.80 (Determine) X-Spam-Status: No, hits=2.1 required=5.5 tests=AWL,BAYES_30,EMAIL_ATTRIBUTION,FORGED_MUA_OUTLOOK, FROM_HAS_MIXED_NUMS,IN_REP_TO,MISSING_OUTLOOK_NAME version=2.55 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) X-Sanitizer: Secured by Bitstop Network Services MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: RE: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Francis A. Vidal" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 08:22:30 -0000 It's also dependent on ICMP time exceeded. -----Original Message----- From: Colin Percival [mailto:colin.percival@wadham.ox.ac.uk] Sent: Monday, October 27, 2003 4:11 PM To: Francis A. Vidal; freebsd-security@freebsd.org Subject: RE: Best way to filter "Nachi pings"? At 16:06 27/10/2003 +0800, Francis A. Vidal wrote: >Wouldn't it break stuff like traceroute? Traceroute is fine -- it uses UDP packets. Tracert, on the other hand, uses ICMP echo request packets, and it suffers. I'm currently on a university network, and when there are connectivity issues (which seems to be quite often) I get very annoyed with the ICMP filtering. Colin Percival From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 00:53:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAAC416A4B3 for ; Mon, 27 Oct 2003 00:53:58 -0800 (PST) Received: from obsecurity.dyndns.org (adsl-63-207-60-234.dsl.lsan03.pacbell.net [63.207.60.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id C37F143FBD for ; Mon, 27 Oct 2003 00:53:57 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 6E81766DFF; Mon, 27 Oct 2003 00:53:57 -0800 (PST) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 43185DC5; Mon, 27 Oct 2003 00:53:57 -0800 (PST) Date: Mon, 27 Oct 2003 00:53:57 -0800 From: Kris Kennaway To: "Francis A. Vidal" Message-ID: <20031027085357.GA9723@rot13.obsecurity.org> References: <20031027080240.GA9552@rot13.obsecurity.org> <1067242009.66521.TMDA@irc.dagupan.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline In-Reply-To: <1067242009.66521.TMDA@irc.dagupan.com> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 08:53:58 -0000 --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Oct 27, 2003 at 04:06:44PM +0800, Francis A. Vidal wrote: > Wouldn't it break stuff like traceroute? Only if you block all ICMP packets, which is not what I suggested. Kris --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/nN0kWry0BWjoQKURAr2ZAJ0a2LzKRnjbYt9DgZoEFLLE/nm3YwCguJEW GisbrJ1te/fyg+jy+pw6Ysg= =lTnp -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx-- From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 00:57:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 780AB16A4B3 for ; Mon, 27 Oct 2003 00:57:49 -0800 (PST) Received: from mail1.zer0.org (klapaucius.zer0.org [204.152.186.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADF5F43FBF for ; Mon, 27 Oct 2003 00:57:48 -0800 (PST) (envelope-from gsutter@zer0.org) Received: by mail1.zer0.org (Postfix, from userid 1001) id 688D9239A0B; Mon, 27 Oct 2003 00:57:46 -0800 (PST) Date: Mon, 27 Oct 2003 00:57:46 -0800 From: Gregory Sutter To: Brett Glass Message-ID: <20031027085746.GD98272@klapaucius.zer0.org> References: <200310270731.AAA23485@lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Qrgsu6vtpU/OV/zm" Content-Disposition: inline In-Reply-To: <200310270731.AAA23485@lariat.org> Organization: Zer0 X-Purpose: For great justice! Mail-Copies-To: poster X-PGP-Fingerprint: D161 E4EA 4BFA 2427 F3F9 5B1F 2015 31D5 845D FEDD X-PGP-Key: http://zer0.org/~gsutter/gsutter.pgp X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 08:57:49 -0000 --Qrgsu6vtpU/OV/zm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003-10-27 00:31 -0700, Brett Glass wrote: > We're being ping-flooded by the Nachi worm, which probes subnets for > systems to attack by sending 92-byte ping packets. Unfortunately, > IPFW doesn't seem to have the ability to filter packets by length. > Assuming that I stick with IPFW, what's the best way to stem the > tide? You could filter by icmptype, with the result that no ICMP ECHO packets would transit your firewall (i.e. ping stops working). Here is what I use on one of my hosts. Comments welcome. # icmp # echo reply, dest unreach, redirect, echo request, ttl exceeded $fwcmd add 07000 allow icmp from me to any out xmit $eth icmptypes 0,3,5,8,= 11 # echo reply, dest unreach, echo request, ttl exceeded $fwcmd add 07010 allow icmp from any to me in recv $eth icmptypes 0,3,8,11 (The remainder are denied by default.) Greg --=20 Gregory S. Sutter It is no measure of health to be mailto:gsutter@zer0.org well adjusted to a profoundly http://zer0.org/~gsutter/ sick society. --Krishamurti --Qrgsu6vtpU/OV/zm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iD8DBQE/nN4KIBUx1YRd/t0RArTFAJ9nwq3BBIkx424hG8TlHFK03B9iSwCfbLWI 8ZoLfiUn38BtvGkTRVH8GvE= =cf8d -----END PGP SIGNATURE----- --Qrgsu6vtpU/OV/zm-- From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 01:03:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D38F16A4B3 for ; Mon, 27 Oct 2003 01:03:52 -0800 (PST) Received: from snow.fingers.co.za (snow.fingers.co.za [196.7.148.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 730C943F93 for ; Mon, 27 Oct 2003 01:03:50 -0800 (PST) (envelope-from fingers@fingers.co.za) Received: by snow.fingers.co.za (Postfix, from userid 1001) id 529501706D; Mon, 27 Oct 2003 11:03:48 +0200 (SAST) Received: from localhost (localhost [127.0.0.1]) by snow.fingers.co.za (Postfix) with ESMTP id 50DBF1703E for ; Mon, 27 Oct 2003 11:03:48 +0200 (SAST) Date: Mon, 27 Oct 2003 11:03:48 +0200 (SAST) From: fingers To: freebsd-security@freebsd.org In-Reply-To: <20031027085357.GA9723@rot13.obsecurity.org> Message-ID: <20031027110310.F5852@snow.fingers.co.za> References: <20031027080240.GA9552@rot13.obsecurity.org> <20031027085357.GA9723@rot13.obsecurity.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 09:03:52 -0000 > Only if you block all ICMP packets, which is not what I suggested. does windows tracert not specifically use 92 byte icmp echo-requests? (8/0) From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 01:06:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B50916A4BF for ; Mon, 27 Oct 2003 01:06:58 -0800 (PST) Received: from trillian.santala.org (ip212-226-173-33.adsl.kpnqwest.fi [212.226.173.33]) by mx1.FreeBSD.org (Postfix) with SMTP id 9DF5F43F93 for ; Mon, 27 Oct 2003 01:06:55 -0800 (PST) (envelope-from jake@iki.fi) Received: (qmail 34964 invoked by uid 11053); 27 Oct 2003 09:06:53 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Oct 2003 09:06:52 -0000 Date: Mon, 27 Oct 2003 11:06:52 +0200 (EET) From: Jarkko Santala X-X-Sender: jake@trillian.santala.org To: Kris Kennaway In-Reply-To: <20031027080240.GA9552@rot13.obsecurity.org> Message-ID: <20031027110203.B96390@trillian.santala.org> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-15 Content-Transfer-Encoding: QUOTED-PRINTABLE cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 09:06:58 -0000 On Mon, 27 Oct 2003, Kris Kennaway wrote: > On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote: > > We're being ping-flooded by the Nachi worm, which probes subnets for > > systems to attack by sending 92-byte ping packets. Unfortunately, > > IPFW doesn't seem to have the ability to filter packets by length. > > Assuming that I stick with IPFW, what's the best way to stem the > > tide? > > Block all ping packets? Most security-conscious admins do this D'oh? I like ping very much and it would make me very sad indeed if I couldn't ping my boxes to solve possible network problems along the way. I fail to see the security problem and possible DoS issues could be solved by using limiting of sort. Definitely this block-all approach is not sane, its like if someone complains about NFS being broken you'd say disable it. Filtering packets by length on the other hand is a very nice feature to have. =09-jake --=20 Jarkko Santala System Administrator http://iki.fi/jake= / From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 01:17:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 379B216A4B3 for ; Mon, 27 Oct 2003 01:17:54 -0800 (PST) Received: from irc.dagupan.com (irc.dagupan.com [202.91.161.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F16743FAF for ; Mon, 27 Oct 2003 01:17:53 -0800 (PST) (envelope-from francisv-sender-21ebc3@irc.dagupan.com) Received: by irc.dagupan.com (Postfix, from userid 1022) id B70991DEADB; Mon, 27 Oct 2003 17:17:51 +0800 (PHT) Received: from irc.dagupan.com (localhost [127.0.0.1]) by irc.dagupan.com (Postfix) with ESMTP id 9FE691DE915 for ; Mon, 27 Oct 2003 17:17:50 +0800 (PHT) Received: from hopper (hopper.dagupan.com [202.91.161.143]) by irc.dagupan.com (tmda-ofmipd) with ESMTP; Mon, 27 Oct 2003 17:17:49 +0800 (PHT) To: Date: Mon, 27 Oct 2003 17:17:38 +0800 X-Mailer: Microsoft Office Outlook, Build 11.0.5329 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcOcadnZSFs8coh7Suu0wps2UOgJZgAAQgfQ In-Reply-To: <20031027110203.B96390@trillian.santala.org> From: "Francis A. Vidal" Message-ID: <1067246270.68413.TMDA@irc.dagupan.com> X-Delivery-Agent: TMDA/0.80 (Determine) X-Spam-Status: No, hits=0.1 required=5.5 tests=AWL,BAYES_20,EMAIL_ATTRIBUTION,FORGED_MUA_OUTLOOK, FROM_HAS_MIXED_NUMS,IN_REP_TO,MISSING_OUTLOOK_NAME, QUOTED_EMAIL_TEXT,REPLY_WITH_QUOTES version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) X-Sanitizer: Secured by Bitstop Network Services MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Francis A. Vidal" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 09:17:54 -0000 Unfortunately, the Nachi worm uses ICMP echo to probe potential targets. If you have a Cisco box, you can match the ICMP message generated by Nachi by it's size and type and do some fancy stuff with it. -----Original Message----- From: Jarkko Santala [mailto:jake@iki.fi]=20 Sent: Monday, October 27, 2003 5:07 PM To: Kris Kennaway Cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? On Mon, 27 Oct 2003, Kris Kennaway wrote: > On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote: > > We're being ping-flooded by the Nachi worm, which probes subnets for > > systems to attack by sending 92-byte ping packets. Unfortunately, > > IPFW doesn't seem to have the ability to filter packets by length. > > Assuming that I stick with IPFW, what's the best way to stem the > > tide? > > Block all ping packets? Most security-conscious admins do this D'oh? I like ping very much and it would make me very sad indeed if I couldn't ping my boxes to solve possible network problems along the way. I fail to see the security problem and possible DoS issues could be solved by using limiting of sort. Definitely this block-all approach is not sane, its like if someone complains about NFS being broken you'd say disable it. Filtering packets by length on the other hand is a very nice feature to have. -jake --=20 Jarkko Santala System Administrator http://iki.fi/jake/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 02:17:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32F8016A4B3 for ; Mon, 27 Oct 2003 02:17:18 -0800 (PST) Received: from trillian.santala.org (ip212-226-173-33.adsl.kpnqwest.fi [212.226.173.33]) by mx1.FreeBSD.org (Postfix) with SMTP id B509A43FBD for ; Mon, 27 Oct 2003 02:17:16 -0800 (PST) (envelope-from jake@iki.fi) Received: (qmail 35365 invoked by uid 11053); 27 Oct 2003 10:17:11 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Oct 2003 10:17:11 -0000 Date: Mon, 27 Oct 2003 12:17:11 +0200 (EET) From: Jarkko Santala X-X-Sender: jake@trillian.santala.org To: Kris Kennaway In-Reply-To: <20031027093435.GA6111@rot13.obsecurity.org> Message-ID: <20031027120642.A96390@trillian.santala.org> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027093435.GA6111@rot13.obsecurity.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-15 Content-Transfer-Encoding: QUOTED-PRINTABLE cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 10:17:18 -0000 On Mon, 27 Oct 2003, Kris Kennaway wrote: > On Mon, Oct 27, 2003 at 11:06:52AM +0200, Jarkko Santala wrote: > > On Mon, 27 Oct 2003, Kris Kennaway wrote: > > > > > On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote: > > > > We're being ping-flooded by the Nachi worm, which probes subnets fo= r > > > > systems to attack by sending 92-byte ping packets. Unfortunately, > > > > IPFW doesn't seem to have the ability to filter packets by length. > > > > Assuming that I stick with IPFW, what's the best way to stem the > > > > tide? > > > > > > Block all ping packets? Most security-conscious admins do this > > > > D'oh? I like ping very much and it would make me very sad indeed if I > > couldn't ping my boxes to solve possible network problems along the way= =2E I > > fail to see the security problem and possible DoS issues could be solve= d > > by using limiting of sort. > > The security and DoS concerns are really kind of obvious. Both of which I believe can be handled in a more civilized way. Blocking all ping packets to improve security is nothing more than security through obscurity. It may hide your system against the simplest ping probes, but it does nothing to improve security as such. > No-one has a gun to your head though, so I fail to see why you're > complaining that someone else might do this on their own network. That was not the reason why I complained. The reason was someday some newbie might read your post and come to the conclusion that blocking all ping packets is the only solution and even a good one, which is what I disagree with. > > Definitely this block-all approach is not sane, its like if someone > > complains about NFS being broken you'd say disable it. Filtering packet= s > > by length on the other hand is a very nice feature to have. > > As it happens, ipfw[2] does this anyway. IMHO this is the correct answer that might have been given right away. =09-jake --=20 Jarkko Santala System Administrator http://iki.fi/jake= / From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 03:12:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFC3916A4DA for ; Mon, 27 Oct 2003 03:12:49 -0800 (PST) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0A3343FB1 for ; Mon, 27 Oct 2003 03:12:48 -0800 (PST) (envelope-from freebsd-security@dfmm.org) Received: (qmail 34756 invoked by uid 1000); 27 Oct 2003 11:12:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Oct 2003 11:12:48 -0000 Date: Mon, 27 Oct 2003 03:12:48 -0800 (PST) From: Jason Stone X-X-Sender: jason@walter To: security@freebsd.org In-Reply-To: <20031027120642.A96390@trillian.santala.org> Message-ID: <20031027030027.B8440@walter> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027120642.A96390@trillian.santala.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 11:12:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > D'oh? I like ping very much > > The security and DoS concerns are really kind of obvious. > Blocking all ping packets to improve security is nothing more than > security through obscurity. No, you're missing the point - when all of my clients started massively pinging the internet, the load on my nat box brings down connectivity for my whole office. We're not talking about obscuring the layout of a network - we're talking about a client that is massively flooding with a particular kind of traffic, and so we're blocking that traffic to avoid dos. That traffic just happens to be ping traffic. Yes, not being able to send outbound pings is unfortunate, but if the alternative is to lose your connectivity entirely, blocking pings seems preferable. If your network is small and firewall performance is not an issue, you could just allow outbound pings from the unix machines.... > > > Filtering packets by length on the other hand is a very nice feature > > > to have. > > As it happens, ipfw[2] does this anyway. Yes, ipfw2 (ie, on fbsd-5 boxes) has an "iplen" option that you can put in the body of your rule. From the manpage: iplen len Matches IP packets whose total length, including header and data, is len bytes. However, this isn't going to help most people with 4.x systems, so their best option is probably still to block all pings. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/nP2wswXMWWtptckRAudOAKCDTBQimeY4p8IPxw2LDf6PrwTAzQCg7Pxc XlSVE+ke8z4+h6j3abGejvs= =kFyX -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 03:43:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF20116A4B3 for ; Mon, 27 Oct 2003 03:43:14 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id D582443FBD for ; Mon, 27 Oct 2003 03:43:12 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 20376 invoked from network); 27 Oct 2003 11:42:23 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 27 Oct 2003 11:42:22 -0000 Received: (qmail 63059 invoked by uid 1000); 27 Oct 2003 11:43:10 -0000 Date: Mon, 27 Oct 2003 13:43:10 +0200 From: Peter Pentchev To: Jason Stone Message-ID: <20031027114310.GA430@straylight.oblivion.bg> Mail-Followup-To: Jason Stone , security@freebsd.org References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027120642.A96390@trillian.santala.org> <20031027030027.B8440@walter> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline In-Reply-To: <20031027030027.B8440@walter> User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 11:43:15 -0000 --liOOAslEiF7prFVr Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 27, 2003 at 03:12:48AM -0800, Jason Stone wrote: [snip] > > > > Filtering packets by length on the other hand is a very nice feature > > > > to have. >=20 > > > As it happens, ipfw[2] does this anyway. >=20 > Yes, ipfw2 (ie, on fbsd-5 boxes) has an "iplen" option that you can put in > the body of your rule. From the manpage: >=20 > iplen len > Matches IP packets whose total length, including header and > data, is len bytes. >=20 > However, this isn't going to help most people with 4.x systems, so their > best option is probably still to block all pings. Actually, ipfw2 has been backported to -STABLE for quite a while, and the iplen keyword has been present in -STABLE's src/sbin/ipfw/ipfw2.c ever since ipfw2 was MFC'd (about July 2002). You may want to take a look at the ipfw(8) manual page, and specifically (as recommended at the top of the manpage) the 'USING IPFW2 IN FreeBSD-STABLE' section to see how you can actually use ipfw2 and 'iplen' in -STABLE :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If there were no counterfactuals, this sentence would not have been paradox= ical. --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/nQTO7Ri2jRYZRVMRAmwUAKCdn83cmD6seSmbETePbWDFjgGAGgCfb/Ad 88HyoIYXRIyHtc/CGpKg91Y= =3FJj -----END PGP SIGNATURE----- --liOOAslEiF7prFVr-- From owner-freebsd-security@FreeBSD.ORG Mon Oct 20 01:21:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 91FDC16A4F4 for ; Mon, 20 Oct 2003 01:21:15 -0700 (PDT) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9356A43FAF for ; Mon, 20 Oct 2003 01:21:14 -0700 (PDT) (envelope-from phk@phk.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.10/8.12.10) with ESMTP id h9K8LB4b007573; Mon, 20 Oct 2003 10:21:11 +0200 (CEST) (envelope-from phk@phk.freebsd.dk) To: Adam Nowacki From: "Poul-Henning Kamp" In-Reply-To: Your message of "Sun, 19 Oct 2003 23:12:59 +0200." <3F92FE5B.5070709@bsk.vectranet.pl> Date: Mon, 20 Oct 2003 10:21:10 +0200 Message-ID: <7572.1066638070@critter.freebsd.dk> X-Mailman-Approved-At: Mon, 27 Oct 2003 03:48:04 -0800 cc: freebsd-security@freebsd.org Subject: Re: jail + devfs + snp problem (FreeBSD 5.1-RELEASE-p10) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2003 08:21:15 -0000 In message <3F92FE5B.5070709@bsk.vectranet.pl>, Adam Nowacki writes: >shell# /sbin/devfs rule -s 2 delset >shell# /sbin/devfs rule -s 2 add hide >shell# /sbin/devfs rule -s 2 add path random unhide >shell# /sbin/devfs rule -s 2 add path urandom unhide >shell# /sbin/devfs rule -s 2 add path zero unhide >shell# /sbin/devfs rule -s 2 add path pty\* unhide >shell# /sbin/devfs rule -s 2 add path pty\* unhide >shell# /sbin/devfs rule -s 2 add path tty\* unhide >shell# /sbin/mount_devfs devfs /storage0/site/dev Running ls -l /storage0/site/dev/snp* will undoubtedly show one or more snp* devices. >shell# /sbin/devfs -m /storage0/site/dev ruleset 2 This only makes the ruleset apply to devices created in the future. To also apply it to currently created devices, you should also give the command: /sbin/devfs -m /storage0/site/dev rule applyset After which any snp* (and other filtered) devices will be gone. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 10:07:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F63716A4B3 for ; Wed, 22 Oct 2003 10:07:09 -0700 (PDT) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FB6043FBF for ; Wed, 22 Oct 2003 10:07:08 -0700 (PDT) (envelope-from sam@errno.com) Received: from 66.127.85.91 ([66.127.85.91]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.9) with ESMTP id h9MH740x002102 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Wed, 22 Oct 2003 10:07:06 -0700 (PDT) (envelope-from sam@errno.com) From: Sam Leffler Organization: Errno Consulting To: Mike Tancsa , Bill Swingle , security@freebsd.org Date: Wed, 22 Oct 2003 10:08:30 -0700 User-Agent: KMail/1.5.3 References: <20031022032740.GA2605@dub.net> <6.0.0.22.0.20031021233604.0807f8a0@209.112.4.2> <6.0.0.22.0.20031022102925.04d56660@209.112.4.2> In-Reply-To: <6.0.0.22.0.20031022102925.04d56660@209.112.4.2> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200310221008.30969.sam@errno.com> X-Mailman-Approved-At: Mon, 27 Oct 2003 03:48:04 -0800 Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 17:07:09 -0000 On Wednesday 22 October 2003 07:35 am, Mike Tancsa wrote: > At 11:44 PM 21/10/2003, Mike Tancsa wrote: > >Dont know about http ssl, but I am using the cards from Soekris for my > >backup server. As long as you use 3des for encryption, it does make a big > >difference CPU wise. The next generation cards supposedly have AES and > >public key generation, but I dont think the driver will do the public key > >stuff. The safe driver says it does, but I dont know where to get such > > cards. > > Sorry, I was misspeaking about the safe driver. At the bottom, the Bugs > section says, "Public key support is not implemented." > Actually, Jason Wright took the driver and added PK support but I haven't brought the changes back to FreeBSD yet. One big problem with the safenet chips for PK is that they require polling to get the results! Needless to say this is not optimal. > I would say give the Soekris card a try. Its $80 and it will help with the > SHA1 and MD5 calcs as well as provide good RNG. It wont help with RSA key > generation unfortunately where much of the initial overhead comes from. The hifn 7955-based cards from Soekris should be available soon. I have no more info than you do other than I've worked with a prototype that was real. There are still some issues to work out in the driver but between Jason and I it should be well supported in time. The big win is that it's got AES and PK support and should be inexpensive. A Safenet-based card that does all this too should be available sometime also but I'm not sure what the product plans are for that (and no I can't say who's doing the card). Sam From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 03:24:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82F3016A4B3 for ; Mon, 27 Oct 2003 03:24:00 -0800 (PST) Received: from mail.albury.net.au (giroc.albury.NET.AU [203.15.244.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3A1B43F85 for ; Mon, 27 Oct 2003 03:23:58 -0800 (PST) (envelope-from rossw@albury.net.au) Received: from giroc.albury.net.au (giroc.albury.net.au [203.15.244.13]) by mail.albury.net.au (8.11.1/8.11.1) with ESMTP id h9RBNrT51230; Mon, 27 Oct 2003 22:23:53 +1100 (EST) X-Delivered-To: security@freebsd.org Date: Mon, 27 Oct 2003 22:23:53 +1100 (EST) From: Ross Wheeler To: Jason Stone In-Reply-To: <20031027030027.B8440@walter> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Mon, 27 Oct 2003 03:48:04 -0800 cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 11:24:00 -0000 > > Blocking all ping packets to improve security is nothing more than > > security through obscurity. > > No, you're missing the point - when all of my clients started massively > pinging the internet, the load on my nat box brings down connectivity for > my whole office. We're not talking about obscuring the layout of a > network - we're talking about a client that is massively flooding with a > particular kind of traffic, and so we're blocking that traffic to avoid > dos. That traffic just happens to be ping traffic. Yes, not being able > to send outbound pings is unfortunate, but if the alternative is to lose > your connectivity entirely, blocking pings seems preferable. > iplen len > Matches IP packets whose total length, including header and > data, is len bytes. > > However, this isn't going to help most people with 4.x systems, so their > best option is probably still to block all pings. The "best" option is to actively monitor for this worm (its NOT difficult, a few lines of awk and tcpdump does fine here), *DETECT* the worm on your customers machine, mail them, mail your support team and BOOT THEM. I've been doing it here since about 4 hours after blaster hit, and it's saved us immeasurable pain. We're lucky to have 2 users a day get (re)infected. Detecting them, identifying them and kicking them off the appropriate NAS they are attached to, including sending e-mail, takes under 15 seconds. It minimises the chances of them infecting anyone else, AND reduces the impact on your network. Oh, filtering ingress traffic to minimise its entry into your network is a good thing too. YMMV. From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 05:17:43 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A692F16A4B3 for ; Mon, 27 Oct 2003 05:17:43 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98DF543FE0 for ; Mon, 27 Oct 2003 05:17:42 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id GAA25791; Mon, 27 Oct 2003 06:17:29 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031027061227.03a6be78@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Mon, 27 Oct 2003 06:17:26 -0700 To: Kris Kennaway , Jarkko Santala From: Brett Glass In-Reply-To: <20031027093435.GA6111@rot13.obsecurity.org> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027110203.B96390@trillian.santala.org> <20031027093435.GA6111@rot13.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: security@freebsd.org cc: Kris Kennaway Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 13:17:43 -0000 At 02:34 AM 10/27/2003, Kris Kennaway wrote: >As it happens, ipfw[2] does this anyway. It does. But the router is a production machine and is running an older release of FreeBSD that doesn't have a solid IPFW2. (IPFW2 *just* hit full production quality somewhere between 4.8-RELEASE and now, I must wait until 4.9-RELEASE is out, and proves stable, before I can start using IPFW2. This, as you know, may take awhile.) --Brett From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 05:21:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF02A16A4B3 for ; Mon, 27 Oct 2003 05:21:07 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08FA243FAF for ; Mon, 27 Oct 2003 05:21:07 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id GAA25849; Mon, 27 Oct 2003 06:20:59 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031027061831.04c88c18@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Mon, 27 Oct 2003 06:20:55 -0700 To: Ross Wheeler , Jason Stone From: Brett Glass In-Reply-To: References: <20031027030027.B8440@walter> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 13:21:08 -0000 At 04:23 AM 10/27/2003, Ross Wheeler wrote: >The "best" option is to actively monitor for this worm (its NOT difficult, >a few lines of awk and tcpdump does fine here), *DETECT* the worm on your >customers machine, mail them, mail your support team and BOOT THEM. That's assuming it's your customer. We're being flooded from OUTSIDE. There seem to be approximately one zillion hacked Windows machines out there, and zero inside our networks (because we're blocking the appropriate ports). We've had only one infection behind that particular router, and it came when someone brought in a laptop that had been connected elsewhere. --Brett From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 08:27:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A8EE16A4BF for ; Mon, 27 Oct 2003 08:27:05 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 366AC43F85 for ; Mon, 27 Oct 2003 08:27:04 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id JAA27729; Mon, 27 Oct 2003 09:26:55 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031027092251.04ad3dd8@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Mon, 27 Oct 2003 09:26:20 -0700 To: Jarkko Santala , Kris Kennaway From: Brett Glass In-Reply-To: <20031027120642.A96390@trillian.santala.org> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027110203.B96390@trillian.santala.org> <20031027093435.GA6111@rot13.obsecurity.org> <20031027120642.A96390@trillian.santala.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 16:27:05 -0000 At 03:17 AM 10/27/2003, Jarkko Santala wrote: >Blocking >all ping packets to improve security is nothing more than security through >obscurity. It may hide your system against the simplest ping probes, but >it does nothing to improve security as such. In our case, there's a more compelling reason. Some of our customers' system administrators have utilities which ping their servers from their home Internet connections to make sure everything's working. If I were to block pings, all of these guys' (and gals') pagers and cell phones would go off at once. I'd be beseiged with demands to remove the block immediately. --Brett From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 08:32:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66FC516A4B3 for ; Mon, 27 Oct 2003 08:32:48 -0800 (PST) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86E1943FE0 for ; Mon, 27 Oct 2003 08:32:47 -0800 (PST) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.9/8.12.5) with ESMTP id h9RGWlLj099624; Mon, 27 Oct 2003 09:32:47 -0700 (MST) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.9/8.12.5/Submit) id h9RGWllr099623; Mon, 27 Oct 2003 09:32:47 -0700 (MST) Date: Mon, 27 Oct 2003 09:32:47 -0700 From: "David G. Andersen" To: Brett Glass Message-ID: <20031027093247.B99164@cs.utah.edu> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027110203.B96390@trillian.santala.org> <20031027093435.GA6111@rot13.obsecurity.org> <20031027120642.A96390@trillian.santala.org> <6.0.0.22.2.20031027092251.04ad3dd8@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <6.0.0.22.2.20031027092251.04ad3dd8@localhost>; from brett@lariat.org on Mon, Oct 27, 2003 at 09:26:20AM -0700 cc: security@freebsd.org cc: Kris Kennaway Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 16:32:48 -0000 Brett Glass just mooed: > At 03:17 AM 10/27/2003, Jarkko Santala wrote: > > >Blocking > >all ping packets to improve security is nothing more than security through > >obscurity. It may hide your system against the simplest ping probes, but > >it does nothing to improve security as such. > > In our case, there's a more compelling reason. > > Some of our customers' system administrators have utilities > which ping their servers from their home Internet connections > to make sure everything's working. If I were to block pings, > all of these guys' (and gals') pagers and cell phones would go > off at once. I'd be beseiged with demands to remove the block > immediately. Rate-limit them with dummynet on somewhat selective per-subnet basis. It's not perfect, and increases the latency perceived by customers running ping, but it helps a lot compared to doing nothing. -dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me. From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 11:19:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93A9516A4B3 for ; Mon, 27 Oct 2003 11:19:05 -0800 (PST) Received: from mail.web.am (wizard.web.am [217.113.0.66]) by mx1.FreeBSD.org (Postfix) with SMTP id 32F5A43FBD for ; Mon, 27 Oct 2003 11:18:57 -0800 (PST) (envelope-from nm@web.am) Received: (qmail 61226 invoked from network); 27 Oct 2003 19:18:29 -0000 Received: from localhost (HELO WEBMailhttpwwwwebam) (127.0.0.1) by localhost with SMTP; 27 Oct 2003 19:18:29 -0000 Received: from client 217.113.1.123 for UebiMiau2.7 (webmail client); Mon, 27 Oct 2003 23:18:28 +0400 Date: Mon, 27 Oct 2003 23:18:28 +0400 From: "Gaspar Chilingarov" To: "David G. Andersen" , "Brett Glass" X-Priority: 3 X-Mailer: WEB Mail http://www.web.am/ 0.1 X-Original-IP: 217.113.1.123 Content-Transfer-Encoding: 8bit X-MSMail-Priority: Medium Importance: Medium Content-Type: text/plain; charset="iso-8859-1"; MIME-Version: 1.0 Message-Id: <20031027191857.32F5A43FBD@mx1.FreeBSD.org> cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Gaspar Chilingarov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 19:19:05 -0000 Hello here it is the dump of such packets - 6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.236 (FastEthernet5 620185F0: 0002 4A6E40C8 00D05201 ..Jn@H.PR. 62018600: 312E0800 4500005C 99180000 7E01A9DF 1...E..\....~.)_ 62018610: D97110DA D97135EC 08009A83 02000627 Yq.ZYq5l.......' 62018620: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018630: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018640: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018650: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018660: 31 1 6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.237 (FastEthernet5 6201FF40: 0002 .. 6201FF50: 4A6E40C8 00D05201 312E0800 4500005C Jn@H.PR.1...E..\ 6201FF60: 99190000 7E01A9DD D97110DA D97135ED ....~.)]Yq.ZYq5m 6201FF70: 08009983 02000727 AAAAAAAA AAAAAAAA .......'******** 6201FF80: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 6201FF90: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 6201FFA0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 6201FFB0: AAAAAAAA AAAAAAAA 31 ********1 6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.179 (FastEthernet5/0/0), len 92, access denied 61B6B380: 0002 4A6E40C8 00D05201 312E0800 ..Jn@H.PR.1... 61B6B390: 4500005C 98D90000 7E01AA57 D97110DA E..\.Y..~.*WYq.Z 61B6B3A0: D97135B3 0800D283 0200CE26 AAAAAAAA Yq53..R...N&**** 61B6B3B0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 61B6B3C0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 61B6B3D0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 61B6B3E0: AAAAAAAA AAAAAAAA AAAAAAAA 01 ************. and also one packet split to fields: d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.236 (FastEthernet5 # offset = 0 00:02:4A:6E:40:C8 00:D0:52:01:31:2E 0800 ether frame # offset=14 4500005C # ip frame - 5c mean total len 92 bytes 98D90000 7E01AA57 # 01 means icmp protocol D97110DA D97135B3 #offset=34 0800D283 # icmp header - 08 - type echo req, code 00 0200CE26 # id, queue number #offset=42 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA 01 so . if you can filter by packet content you can easily drop only Nachi's icmp packets .... :) a little bit offtop - I've setup content filters on Lucent Max and this helped a lot to decrease load to network. so we sould seek way to filter by packet content, not by length. With best regards, Gaspar Chilingarov ________________________________________________ WEB ISP - leader in wireless/DSL/dialup services in Armenia. Go to http://www.web.am/ From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 11:22:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CB5216A4B3 for ; Mon, 27 Oct 2003 11:22:39 -0800 (PST) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 70C7543F93 for ; Mon, 27 Oct 2003 11:22:36 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 24528 invoked by uid 1001); 27 Oct 2003 19:22:35 -0000 Date: Mon, 27 Oct 2003 14:22:35 -0500 From: "Peter C. Lai" To: Brett Glass Message-ID: <20031027192235.GG6460@cowbert.2y.net> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027110203.B96390@trillian.santala.org> <20031027093435.GA6111@rot13.obsecurity.org> <6.0.0.22.2.20031027061227.03a6be78@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.2.20031027061227.03a6be78@localhost> User-Agent: Mutt/1.4i cc: security@freebsd.org cc: Kris Kennaway Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: peter.lai@uconn.edu List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 19:22:39 -0000 will the new IPFW2 build as a KLM which you could use with your old freebsd kernel? (/sbin/ipfw2 would have to be rebuilt also, but should be otherwise compatible). Similarly, is there a reason that you wouldn't be able to use the less robust ipfw2 on your release (since I assume you'd be using it purely for its iplen capabilities)? In any case, blocking ICMP etc. appears to be operationally the same as introducing unstable ipfw2 into a stable running kernel - they are at best, only temporary solutions. On Mon, Oct 27, 2003 at 06:17:26AM -0700, Brett Glass wrote: > At 02:34 AM 10/27/2003, Kris Kennaway wrote: > > >As it happens, ipfw[2] does this anyway. > > It does. But the router is a production machine and is > running an older release of FreeBSD that doesn't have > a solid IPFW2. (IPFW2 *just* hit full production quality > somewhere between 4.8-RELEASE and now, I must wait until > 4.9-RELEASE is out, and proves stable, before I can start > using IPFW2. This, as you know, may take awhile.) > > --Brett > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 11:39:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 167F516A4B3 for ; Mon, 27 Oct 2003 11:39:21 -0800 (PST) Received: from www.raditex.se (www.raditex.se [192.5.36.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1F2E43F3F for ; Mon, 27 Oct 2003 11:39:17 -0800 (PST) (envelope-from gh@raditex.se) Received: from gandalf.raditex.se (gandalf.raditex.se. [192.5.36.18]) by www.raditex.se (8.12.9/8.12.9) with ESMTP id h9RLKVo9054924; Mon, 27 Oct 2003 21:20:31 GMT Date: Mon, 27 Oct 2003 22:15:47 +0000 (GMT) From: G Hasse To: Sam Leffler In-Reply-To: <200310221008.30969.sam@errno.com> Message-ID: <20031027221035.I50355-100000@gandalf.raditex.se> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE cc: security@freebsd.org Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 19:39:21 -0000 Hello! There is a good artickle by Ken Thompson "Reflections on Trusting Trust" http://www.acm.org/classics/sep95/ He basicaly says that you can't trust hardware if you don't have the microcode. How is the hardware handling this for those devices mentioned? G=F6ran Hasse ---------------------------------------------------------------- G=F6ran Hasse email: gh@raditex.se Tel: 08-6949270 Raditex AB http://www.raditex.se Fax: 08-4420570 Sickla Alle 7, 1tr Mob: 070-5530148 131 34 NACKA, SWEDEN From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 13:15:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 463EF16A4B3 for ; Mon, 27 Oct 2003 13:15:15 -0800 (PST) Received: from stinky.trash.net (stinky.trash.net [195.134.144.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41AF443F3F for ; Mon, 27 Oct 2003 13:15:14 -0800 (PST) (envelope-from bsdlist@kess.ch) Received: by stinky.trash.net (Postfix, from userid 1918) id 460E594B3D; Mon, 27 Oct 2003 22:15:12 +0100 (MET) Date: Mon, 27 Oct 2003 22:15:12 +0100 From: Wolfgang Kess To: freebsd-security@freebsd.org Message-ID: <20031027211512.GA14467@stinky.trash.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.4i Priority: normal Subject: How to disable XFree86 and wdm listening ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 21:15:15 -0000 Hello, what is the right way to disable XFree86 and wdm listening ports tcp 6000 and tcp 1024. I read in man XFree86 about the -nolisten tcp option and tried to set in /usr/X11R6/lib/X11/xdm :0 local /usr/X11R6/bin/X -nolisten tcp but it was not successful. What is the right way to close the ports without use of IPFW? Your help would be appreciated. Thank´s Wolfgang From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 14:13:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 141FE16A4B3 for ; Mon, 27 Oct 2003 14:13:21 -0800 (PST) Received: from web10105.mail.yahoo.com (web10105.mail.yahoo.com [216.136.130.55]) by mx1.FreeBSD.org (Postfix) with SMTP id 8094D43FAF for ; Mon, 27 Oct 2003 14:13:20 -0800 (PST) (envelope-from twigles@yahoo.com) Message-ID: <20031027221320.6829.qmail@web10105.mail.yahoo.com> Received: from [68.5.49.41] by web10105.mail.yahoo.com via HTTP; Mon, 27 Oct 2003 14:13:20 PST Date: Mon, 27 Oct 2003 14:13:20 -0800 (PST) From: twig les To: Wolfgang Kess , freebsd-security@freebsd.org In-Reply-To: <20031027211512.GA14467@stinky.trash.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: How to disable XFree86 and wdm listening ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 22:13:21 -0000 http://www.onlamp.com/pub/a/bsd/2002/08/08/FreeBSD_Basics.html To quote: "There are several ways to close this port; I've found the easiest is to become the superuser and edit /usr/X11R6/bin/startx. Find the serverargs line and change it so that it looks like this: serverargs="-nolisten tcp" Once you've saved your changes, start X as a regular user and rerun sockstat -4. If you didn't have any typos, X will start as usual, but port 6000 will be missing in your sockstat -4 output." I never run wdm so don't know there. --- Wolfgang Kess wrote: > Hello, > > what is the right way to disable XFree86 and wdm listening > ports tcp 6000 and tcp 1024. > > I read in man XFree86 about the -nolisten tcp option > and tried to set in /usr/X11R6/lib/X11/xdm > > :0 local /usr/X11R6/bin/X -nolisten tcp > > but it was not successful. > > > What is the right way to close the ports without use of IPFW? > > Your help would be appreciated. > > Thank´s > Wolfgang > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ===== ----------------------------------------------------------- Get a taste of Religion ... eat a priest! ----------------------------------------------------------- __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 14:19:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FC6916A4B3 for ; Mon, 27 Oct 2003 14:19:27 -0800 (PST) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F80043F3F for ; Mon, 27 Oct 2003 14:19:26 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (sccrmhc13) with ESMTP id <2003102722192401600hh197e>; Mon, 27 Oct 2003 22:19:24 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.8) with ESMTP id h9RMJHJp046557; Mon, 27 Oct 2003 14:19:17 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p2/8.12.8/Submit) id h9RMJG0q046556; Mon, 27 Oct 2003 14:19:16 -0800 (PST) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Mon, 27 Oct 2003 14:19:16 -0800 From: "Crist J. Clark" To: Bill Swingle Message-ID: <20031027221916.GA46461@blossom.cjclark.org> References: <3F97BA17.8050403@lexisnexis.com> <20031026165222.GA31223@dub.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031026165222.GA31223@dub.net> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-security@freebsd.org cc: "G. Panula" Subject: Re: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 22:19:27 -0000 On Sun, Oct 26, 2003 at 08:52:22AM -0800, Bill Swingle wrote: > On Thu, Oct 23, 2003 at 06:23:03AM -0500, G. Panula wrote: > > Current behavior is encrypted packet is handled by ipfw once, then after > > decryption it is only handled by ipfw(again) if it passes thru an > > interface didn't arrive on. > > Does this apply to ipfilter as well? Yes. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 17:47:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C7DF16A4CE for ; Mon, 27 Oct 2003 17:47:08 -0800 (PST) Received: from gi.sourcefire.com (gi.sourcefire.com [12.110.105.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19ED443FB1 for ; Mon, 27 Oct 2003 17:47:07 -0800 (PST) (envelope-from nigel@sourcefire.com) Received: from [10.41.20.38] ([216.142.52.66]) (AUTH: PLAIN nhoughton, ) by gi.sourcefire.com with esmtp; Mon, 27 Oct 2003 20:47:05 -0500 Date: Mon, 27 Oct 2003 20:45:31 -0500 (EST) From: Nigel Houghton Sender: nigel@enterprise.sfeng.sourcefire.com To: Wolfgang Kess In-Reply-To: <20031027211512.GA14467@stinky.trash.net> Message-ID: References: <20031027211512.GA14467@stinky.trash.net> X-SG1: Mr Glass is half empty over here MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE cc: "freebsd-security@freebsd.org" Subject: Re: How to disable XFree86 and wdm listening ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 01:47:08 -0000 wdm is a replacement for xdm and has it's own configuration directory, similar in nature to xdm but called wdm. There are different ways to achieve your desired result, you should find an appropriate place in /usr/X11R6/lib/X11/wdm/wdm-config to add the -nolisten tcp option to the server line similar to the xdm option you tried already. For gdm, the process is similar the line to start the X server is in gdm.conf and would look like command=3D/usr/X11R6/bin/X -nolisten tcp. There are other places this can be done, but these options might be easiest for you. You might also want to make sure you have XDMCP turned off also otherwise you'll be listening on udp 177 too. Around 10:15pm Wolfgang Kess said: WK :Hello, WK : WK :what is the right way to disable XFree86 and wdm listening WK :ports tcp 6000 and tcp 1024. WK : WK :I read in man XFree86 about the -nolisten tcp option WK :and tried to set in /usr/X11R6/lib/X11/xdm WK : WK ::0 local /usr/X11R6/bin/X -nolisten tcp WK : WK :but it was not successful. WK : WK : WK :What is the right way to close the ports without use of IPFW? WK : WK :Your help would be appreciated. WK : WK :Thank=B4s WK :Wolfgang WK : WK :_______________________________________________ WK :freebsd-security@freebsd.org mailing list WK :http://lists.freebsd.org/mailman/listinfo/freebsd-security WK :To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.= org" WK : ------------------------------------------------------------- Nigel Houghton Security Research Engineer Sourcefire Inc. Vulnerability Research Team "Mankind hasn't even got the technology to create a toupee that doesn't get big laughs." -- Lister From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 18:00:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13CC816A4CE for ; Mon, 27 Oct 2003 18:00:44 -0800 (PST) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10C7443F3F for ; Mon, 27 Oct 2003 18:00:43 -0800 (PST) (envelope-from freebsd-security@dfmm.org) Received: (qmail 91111 invoked by uid 1000); 28 Oct 2003 02:00:42 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Oct 2003 02:00:42 -0000 Date: Mon, 27 Oct 2003 18:00:42 -0800 (PST) From: Jason Stone X-X-Sender: jason@walter To: Wolfgang Kess In-Reply-To: Message-ID: <20031027175709.C38023@walter> References: <20031027211512.GA14467@stinky.trash.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: "freebsd-security@freebsd.org" Subject: Re: How to disable XFree86 and wdm listening ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 02:00:44 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > For gdm, the process is similar the line to start the X server is in > gdm.conf and would look like command=/usr/X11R6/bin/X -nolisten tcp. If you think that you might someday invoke X with a different display manager, you might consider replacing /usr/X11R6/bin/X with a shell script that calls "X.real -nolisten tcp" - this would make all methods of starting X not use the tcp port. On the other hand, you'll have to remember to maintain it when you upgrade. Also, it's probably a good idea to firewall of that port as well - defense in depth and all that. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/nc3KswXMWWtptckRAmsQAKDxtRh8bGXweESE9NdUnEjdZ2DyQgCguft3 fN08dEO9gEEudzWWuQJYSkY= =a1Up -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 18:05:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50D0A16A4CE for ; Mon, 27 Oct 2003 18:05:58 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97BFA43F93 for ; Mon, 27 Oct 2003 18:05:56 -0800 (PST) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA06678; Mon, 27 Oct 2003 19:05:39 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.0.0.22.2.20031027190409.04ada3f0@localhost> X-Sender: brett@localhost (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Mon, 27 Oct 2003 19:05:38 -0700 To: peter.lai@uconn.edu From: Brett Glass In-Reply-To: <20031027192235.GG6460@cowbert.2y.net> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027110203.B96390@trillian.santala.org> <20031027093435.GA6111@rot13.obsecurity.org> <6.0.0.22.2.20031027061227.03a6be78@localhost> <20031027192235.GG6460@cowbert.2y.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: security@freebsd.org cc: Kris Kennaway Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 02:05:58 -0000 At 12:22 PM 10/27/2003, Peter C. Lai wrote: >Similarly, is there a reason that you wouldn't be able to use the less robust >ipfw2 on your release (since I assume you'd be using it purely for its iplen >capabilities)? Look at some of the latest notes in the CVS database. They mention use-after-free problems, security holes (unprivileged users can manipulate the firewall), and other things you just wouldn't want on a production system. The good news is that they scoured the code quite thoroughly, and it seems to be solid now. --Brett From owner-freebsd-security@FreeBSD.ORG Tue Oct 28 04:30:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50AF516A4CE for ; Tue, 28 Oct 2003 04:30:01 -0800 (PST) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id 1144843FE1 for ; Tue, 28 Oct 2003 04:30:00 -0800 (PST) (envelope-from greg.panula@lexisnexis.com) Received: (qmail 25461 invoked by uid 0); 28 Oct 2003 12:29:59 -0000 Received: from greg.panula@lexisnexis.com by proxy by uid 82 with qmail-scanner-1.16 ( Clear:. Processed in 1.904246 secs); 28 Oct 2003 12:29:59 -0000 X-Qmail-Scanner-Mail-From: greg.panula@lexisnexis.com via proxy X-Qmail-Scanner-Rcpt-To: brett@lariat.org,security@freebsd.org X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.904246 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 28 Oct 2003 12:29:56 -0000 Received: from lexisnexis.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 28 Oct 2003 06:29:56 -0600 Message-ID: <3F9E6144.2080206@lexisnexis.com> Date: Tue, 28 Oct 2003 06:29:56 -0600 From: "G. Panula" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030918 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brett Glass References: <6.0.0.22.2.20031023162326.04c1e008@localhost> In-Reply-To: <6.0.0.22.2.20031023162326.04c1e008@localhost> X-Enigmail-Version: 0.76.7.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 12:30:01 -0000 Brett Glass wrote: > All: > > I'm posting this to FreeBSD-security (rather than FreeBSD-net) because > the problems I'm seeing appear to have been caused by spyware, and > because they constitute a possible avenue for denial of service on > FreeBSD machines with default installs of the operating system. > > Several of the FreeBSD machines on our network began to act strangely > during the past week. Some have started to refuse mail; in other cases, > important daemons have died without warning. All of the machines are > running 4.x releases of FreeBSD with all recent patches installed, and > all are running the version of BIND supplied with FreeBSD. The "top" > command, when run on these machines, showed that BIND is consuming very > large amounts of CPU time, but this by itself couldn't explain all of > the symptoms we were seeing. > > This afternoon, I examined the machines and discovered the problem: full > /var partitions caused by huge /var/log/messages files. > > Inspection of the files reveals hundreds of thousands of messages of the > form: > > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns0.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns1.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns3.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns4.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns6.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns7.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns8.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns11.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns10.opennic.glue) > Oct 23 16:00:07 victim named[326]: sysquery: no addrs found for root NS > (ns11.opennic.glue) > > The references to OpenNIC have caused me to suspect (though I have not > verified it yet) that the problem is due to the New.Net spyware, which > causes Windows machines to query OpenNIC's name servers. From what I've > read so far, it appears that New.Net is "foistware" -- that is, it can > be installed on innocent users' Windows machines without their consent > via holes in Internet Explorer. But if New.Net is not what's > responsible, SOMETHING certainly seems to be generating bogus DNS > queries, which in turn are causing these messages. > > FreeBSD currently comes configured, in the default install, to check > /var/messages only once a day, and to rotate the log file if it's above > a certain size. Unfortunately, these messages accumulate so rapidly that > this is not sufficient; the /var partition in the default install can > easily be overflowed long before the log is rotated, causing > malfunctions. I've temporarily changed /etc/crontab so that newsyslog is > run every 5 minutes instead of once a day (which may be a good idea to > prevent other denials of service via this sort of overflow as well). But > it also makes sense to patch the system so that it does not fill so many > verbose messages -- and/or to ignore the bogus queries generated by the > spyware. It may also pay to patch BIND to limit the overhead that is > incurred when such queries occur. Ideas? > Wouldn't a better work-around be either add ns*.opennic.glue addresses to named.root or setup a dummy zone for .glue that just returns a localhost address to the client? Or a possible solution would be to setup bind to log directly to its own log files and rotate them when needed and turn off logging to syslog. Bind8&9 allow for logging of various messages to different files and letting bind rotate them when needed. Check out the Bind documention. There is a helpful example available at: http://logreport.org/doc/gen/dns/bind8.php Here's a quick example from bind9: # This setups logging options # general info is logged to both syslog and a local file # info about lame-servers is sent to /dev/null logging { channel named_log { file "/var/named/named.log" versions 5 size 1m; severity info; print-time yes; }; channel null { null; }; category "default" { "named_log"; default_syslog; }; category "lame-servers" { "null"; }; }; I guess as an improvement on the default named.conf, it could include an example section on logging options. greg From owner-freebsd-security@FreeBSD.ORG Tue Oct 28 08:44:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD1C816A4CE for ; Tue, 28 Oct 2003 08:44:07 -0800 (PST) Received: from stinky.trash.net (stinky.trash.net [195.134.144.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0749343FB1 for ; Tue, 28 Oct 2003 08:44:03 -0800 (PST) (envelope-from bsdlist@kess.ch) Received: by stinky.trash.net (Postfix, from userid 1918) id 642E99495E; Tue, 28 Oct 2003 17:44:02 +0100 (MET) Date: Tue, 28 Oct 2003 17:44:02 +0100 From: Wolfgang Kess To: Jason Stone Message-ID: <20031028164402.GA9780@stinky.trash.net> References: <20031027211512.GA14467@stinky.trash.net> <20031027175709.C38023@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031027175709.C38023@walter> User-Agent: Mutt/1.4i Priority: normal cc: "freebsd-security@freebsd.org" Subject: Re: How to disable XFree86 and wdm listening ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 16:44:08 -0000 On Mon, Oct 27, 2003 at 06:00:42PM -0800, Jason Stone wrote: > > If you think that you might someday invoke X with a different display > manager, you might consider replacing /usr/X11R6/bin/X with a shell script > that calls "X.real -nolisten tcp" - this would make all methods of > starting X not use the tcp port. On the other hand, you'll have to > remember to maintain it when you upgrade. A very nice recommendation. X is linked to Xwrapper-4 lrwxr-xr-x 1 root wheel - 10 Oct 22 18:18 X@ -> Xwrapper-4 Please publish your shell script. > Also, it's probably a good idea to firewall of that port as well - defense > in depth and all that. Yes, I'll do so. Thank's Wolfgang From owner-freebsd-security@FreeBSD.ORG Tue Oct 28 08:50:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E56EF16A4CE for ; Tue, 28 Oct 2003 08:50:21 -0800 (PST) Received: from stinky.trash.net (stinky.trash.net [195.134.144.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id BDA7843FE3 for ; Tue, 28 Oct 2003 08:50:20 -0800 (PST) (envelope-from bsdlist@kess.ch) Received: by stinky.trash.net (Postfix, from userid 1918) id 8B48F949C8; Tue, 28 Oct 2003 17:50:20 +0100 (MET) Date: Tue, 28 Oct 2003 17:50:20 +0100 From: Wolfgang Kess To: twig les Message-ID: <20031028165020.GB9780@stinky.trash.net> References: <20031027211512.GA14467@stinky.trash.net> <20031027221320.6829.qmail@web10105.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031027221320.6829.qmail@web10105.mail.yahoo.com> User-Agent: Mutt/1.4i Priority: normal cc: freebsd-security@freebsd.org Subject: Re: How to disable XFree86 and wdm listening ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 16:50:22 -0000 On Mon, Oct 27, 2003 at 02:13:20PM -0800, twig les wrote: > easiest is to become the superuser and edit > /usr/X11R6/bin/startx. Find the serverargs line and change it so > that it looks like this: > > serverargs="-nolisten tcp" Yes, I tried. This works for XFree86 invoked by users startx but not for a wdm started XFree86. > I never run wdm so don't know there. wdm is started on ttyv8 /etc/ttys ttyv8 "/usr/X11R6/bin/wdm -nodaemon" xterm on secure adding an -nolisten does not work Wolfgang From owner-freebsd-security@FreeBSD.ORG Tue Oct 28 08:59:29 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8901C16A4CF for ; Tue, 28 Oct 2003 08:59:29 -0800 (PST) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4017443FF5 for ; Tue, 28 Oct 2003 08:59:28 -0800 (PST) (envelope-from freebsd-security@dfmm.org) Received: (qmail 9923 invoked by uid 1000); 28 Oct 2003 16:59:28 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Oct 2003 16:59:28 -0000 Date: Tue, 28 Oct 2003 08:59:28 -0800 (PST) From: Jason Stone X-X-Sender: jason@walter To: Wolfgang Kess In-Reply-To: <20031028164402.GA9780@stinky.trash.net> Message-ID: <20031028084942.C38023@walter> References: <20031027211512.GA14467@stinky.trash.net> <20031027175709.C38023@walter> <20031028164402.GA9780@stinky.trash.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: "freebsd-security@freebsd.org" Subject: Re: How to disable XFree86 and wdm listening ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 16:59:29 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > If you think that you might someday invoke X with a different display > > manager, you might consider replacing /usr/X11R6/bin/X with a shell script > > that calls "X.real -nolisten tcp" - this would make all methods of > > starting X not use the tcp port. On the other hand, you'll have to > > remember to maintain it when you upgrade. > > A very nice recommendation. > > X is linked to Xwrapper-4 > lrwxr-xr-x 1 root wheel - 10 Oct 22 18:18 X@ -> Xwrapper-4 > > Please publish your shell script. Um, I'm not using such a thing, but I imagine it would be something like the following. Call it something like /usr/X11R6/bin/X-no-tcp and symlink /usr/X11R6/bin/X to it. #!/bin/sh if [ -x /usr/X11R6/bin/Xwrapper-4 ] then exec /usr/X11R6/bin/Xwrapper-4 -nolisten tcp $@ elif [ -x /usr/X11R6/bin/XFree86 ] then exec /usr/X11R6/bin/XFree86 -nolisten tcp $@ else echo "Couldn't find Xwrapper-4 or XFree86 - sorry" >&2 exit 1 fi -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/nqBwswXMWWtptckRAoiyAJ4sGbSV/+U4/Yv3qVnFsJuYeS7whwCgyrrF Vu/aLcEzeZTjfMhMJBTIZN0= =k7nC -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Oct 28 09:09:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A92E816A4CE for ; Tue, 28 Oct 2003 09:09:37 -0800 (PST) Received: from gi.sourcefire.com (gi.sourcefire.com [12.110.105.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A19843F85 for ; Tue, 28 Oct 2003 09:09:36 -0800 (PST) (envelope-from nigel@sourcefire.com) Received: from [10.4.10.172] ([10.4.10.172]) (AUTH: PLAIN nhoughton, ) by gi.sourcefire.com with esmtp; Tue, 28 Oct 2003 12:09:34 -0500 Date: Tue, 28 Oct 2003 12:08:02 -0500 (EST) From: Nigel Houghton Sender: nigel@enterprise.sfeng.sourcefire.com To: Wolfgang Kess In-Reply-To: <20031028165020.GB9780@stinky.trash.net> Message-ID: References: <20031027211512.GA14467@stinky.trash.net> <20031028165020.GB9780@stinky.trash.net> X-SG1: Mr Glass is half empty over here Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: "freebsd-security@freebsd.org" Subject: Re: How to disable XFree86 and wdm listening ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 17:09:37 -0000 Around 5:50pm Wolfgang Kess said: WK :wdm is started on ttyv8 WK : WK :/etc/ttys WK : WK :ttyv8 "/usr/X11R6/bin/wdm -nodaemon" xterm on secure WK : WK :adding an -nolisten does not work This is not where you need to add the -nolisten option as you have found out :) Take a look at my previous reply to your original question. ------------------------------------------------------------- Nigel Houghton Security Research Engineer Sourcefire Inc. Vulnerability Research Team "Mankind hasn't even got the technology to create a toupee that doesn't get big laughs." -- Lister From owner-freebsd-security@FreeBSD.ORG Tue Oct 28 10:05:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2196316A4CE for ; Tue, 28 Oct 2003 10:05:49 -0800 (PST) Received: from stinky.trash.net (stinky.trash.net [195.134.144.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5844943F85 for ; Tue, 28 Oct 2003 10:05:48 -0800 (PST) (envelope-from bsdlist@kess.ch) Received: by stinky.trash.net (Postfix, from userid 1918) id 96701948AB; Tue, 28 Oct 2003 19:05:47 +0100 (MET) Date: Tue, 28 Oct 2003 19:05:47 +0100 From: Wolfgang Kess To: Nigel Houghton Message-ID: <20031028180547.GA15472@stinky.trash.net> References: <20031027211512.GA14467@stinky.trash.net> <20031027221320.6829.qmail@web10105.mail.yahoo.com> <20031028165020.GB9780@stinky.trash.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Priority: normal cc: "freebsd-security@freebsd.org" Subject: Re: How to disable XFree86 and wdm listening ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 18:05:49 -0000 On Tue, Oct 28, 2003 at 12:08:02PM -0500, Nigel Houghton wrote: > WK : > WK :ttyv8 "/usr/X11R6/bin/wdm -nodaemon" xterm on secure > WK : > WK :adding an -nolisten does not work > > This is not where you need to add the -nolisten option as you have found > out :) Now I closed the wdm listening ports by this: ttyv8 "/usr/X11R6/bin/wdm -nodaemon -udpPort 0 -tcpPort 0" xterm on secure all other attempts with wdm config files in /usr/X11R6/lib/X11/wdm did not work. Wolfgang From owner-freebsd-security@FreeBSD.ORG Tue Oct 28 10:08:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7169016A4CE for ; Tue, 28 Oct 2003 10:08:38 -0800 (PST) Received: from stinky.trash.net (stinky.trash.net [195.134.144.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD47043FE9 for ; Tue, 28 Oct 2003 10:08:37 -0800 (PST) (envelope-from bsdlist@kess.ch) Received: by stinky.trash.net (Postfix, from userid 1918) id 899FE94BFB; Tue, 28 Oct 2003 19:08:37 +0100 (MET) Date: Tue, 28 Oct 2003 19:08:37 +0100 From: Wolfgang Kess To: Jason Stone Message-ID: <20031028180837.GB15472@stinky.trash.net> References: <20031027211512.GA14467@stinky.trash.net> <20031027175709.C38023@walter> <20031028164402.GA9780@stinky.trash.net> <20031028084942.C38023@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031028084942.C38023@walter> User-Agent: Mutt/1.4i Priority: normal cc: "freebsd-security@freebsd.org" Subject: Re: How to disable XFree86 and wdm listening ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 18:08:38 -0000 On Tue, Oct 28, 2003 at 08:59:28AM -0800, Jason Stone wrote: > > > > X is linked to Xwrapper-4 > > lrwxr-xr-x 1 root wheel - 10 Oct 22 18:18 X@ -> Xwrapper-4 > > > > Please publish your shell script. > > Um, I'm not using such a thing, but I imagine it would be something like > the following. Call it something like /usr/X11R6/bin/X-no-tcp and symlink > /usr/X11R6/bin/X to it. Thank you very much. This works excellent. Wolfgang From owner-freebsd-security@FreeBSD.ORG Tue Oct 28 10:16:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44D1816A4CE for ; Tue, 28 Oct 2003 10:16:16 -0800 (PST) Received: from stinky.trash.net (stinky.trash.net [195.134.144.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9BBD43FA3 for ; Tue, 28 Oct 2003 10:16:15 -0800 (PST) (envelope-from bsdlist@kess.ch) Received: by stinky.trash.net (Postfix, from userid 1918) id DEF8D94BFB; Tue, 28 Oct 2003 19:16:14 +0100 (MET) Date: Tue, 28 Oct 2003 19:16:14 +0100 From: Wolfgang Kess To: freebsd-security@freebsd.org Message-ID: <20031028181614.GC15472@stinky.trash.net> References: <20031027211512.GA14467@stinky.trash.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031027211512.GA14467@stinky.trash.net> User-Agent: Mutt/1.4i Priority: normal Subject: Re: How to disable XFree86 and wdm listening ports X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 18:16:16 -0000 Many thanks for your answer. The ports are now closed. Wolfgang From owner-freebsd-security@FreeBSD.ORG Wed Oct 29 19:01:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB10E16A4CE for ; Wed, 29 Oct 2003 19:01:49 -0800 (PST) Received: from franky.speednet.com.au (franky.speednet.com.au [203.57.65.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D52043F93 for ; Wed, 29 Oct 2003 19:01:48 -0800 (PST) (envelope-from andyf@speednet.com.au) Received: from hewey.af.speednet.com.au (udsl-3-062.QLD.dft.com.au [202.168.108.62])h9U31dx6041515; Thu, 30 Oct 2003 14:01:43 +1100 (EST) (envelope-from andyf@speednet.com.au) Received: from hewey.af.speednet.com.au (hewey.af.speednet.com.au [172.22.2.17])h9U31bK5063489; Thu, 30 Oct 2003 13:01:38 +1000 (EST) (envelope-from andyf@speednet.com.au) Date: Thu, 30 Oct 2003 13:01:37 +1000 (EST) From: Andy Farkas X-X-Sender: andyf@hewey.af.speednet.com.au To: Jarkko Santala In-Reply-To: <20031027120642.A96390@trillian.santala.org> Message-ID: <20031030125537.F61846@hewey.af.speednet.com.au> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027120642.A96390@trillian.santala.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: security@freebsd.org cc: Kris Kennaway Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2003 03:01:50 -0000 On Mon, 27 Oct 2003, Jarkko Santala wrote: > On Mon, 27 Oct 2003, Kris Kennaway wrote: > > On Mon, Oct 27, 2003 at 11:06:52AM +0200, Jarkko Santala wrote: > > > > > > Definitely this block-all approach is not sane, its like if someone > > > complains about NFS being broken you'd say disable it. Filtering packets > > > by length on the other hand is a very nice feature to have. > > > > As it happens, ipfw[2] does this anyway. > > IMHO this is the correct answer that might have been given right away. So, using IPFW2, a rule to block the nachi ping would look like: add deny icmp from any to any in icmptypes 8 iplen 92 correct? -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 06:08:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E632B16A4B3 for ; Mon, 27 Oct 2003 06:08:39 -0800 (PST) Received: from ucan.foad.org (ucan.foad.org [64.173.36.245]) by mx1.FreeBSD.org (Postfix) with ESMTP id 335D243F93 for ; Mon, 27 Oct 2003 06:08:39 -0800 (PST) (envelope-from pde@ucan.foad.org) Received: from ucan.foad.org (pde@localhost.stanford.edu [127.0.0.1]) by ucan.foad.org (8.12.10/HIGHWIRE2.0) with ESMTP id h9RE8cPc014583 for ; Mon, 27 Oct 2003 06:08:38 -0800 (PST) Received: (from pde@localhost) by ucan.foad.org (8.12.10/8.12.9/Submit) id h9RE8cHI007704 for security@freebsd.org; Mon, 27 Oct 2003 06:08:38 -0800 (PST) Date: Mon, 27 Oct 2003 06:08:38 -0800 From: Pete Ehlke To: security@freebsd.org Message-ID: <20031027140838.GA23841@ehlke.net> References: <6.0.0.22.2.20031023162326.04c1e008@localhost> <6.0.0.22.2.20031023183427.04e18d10@localhost> <20031023204646.A61063@cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031023204646.A61063@cs.utah.edu> User-Agent: Mutt/1.4.1i X-Mailman-Approved-At: Thu, 30 Oct 2003 05:59:06 -0800 Subject: Re: /var partition overflow (due to spyware?) in FreeBSD default install X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 14:08:40 -0000 On Thu, Oct 23, 2003 at 08:46:46PM -0600, David G. Andersen wrote: > Garance A Drosihn just mooed: > > newsyslog for the past year. I am pretty familiar with it. > > > > What I meant was that in circumstances where "once per hour" > > is not fast enough, then I do not believe the right solution > > is to rotate files every five minutes. Just MO. > > the problem is very obviously an excess of messages from bind. > This bug report should go to the ISC folks. No daemon should > be spewing out log messages at the _incredible_ rate that > bind does when it decides it doesn't like what it's getting > in this context. The same bug can be triggered by using a > forwarding nameserver that bind doesn't like. It logs messages at the rate that it sees errors. > The immediate question to ask is, "is this fixed in bind9?" > Well, no. The immediate question to ask is "why are you sending bind messages to syslogd in the first place?" see http://www.isc.org/products/BIND/docs/config/logging.html for how to configure bind to do sane logging, including size-based autorotation of log files. -Pete From owner-freebsd-security@FreeBSD.ORG Thu Oct 30 08:45:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 003CD16A4CF for ; Thu, 30 Oct 2003 08:45:12 -0800 (PST) Received: from smtp-3.llnl.gov (smtp-3.llnl.gov [128.115.41.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB6DC43FAF for ; Thu, 30 Oct 2003 08:45:10 -0800 (PST) (envelope-from carlson39@llnl.gov) Received: from carlson-pc.llnl.gov (localhost [127.0.0.1]) with ESMTP id h9UGj4DI028860 for ; Thu, 30 Oct 2003 08:45:09 -0800 (PST) Message-Id: <5.1.1.6.0.20031030084448.03831060@popcorn.llnl.gov> X-Sender: e004282@popcorn.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Thu, 30 Oct 2003 08:45:03 -0800 To: freebsd-security@freebsd.org From: Michael Carlson MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2003 16:45:12 -0000 I have asked this before in -questions but due to a odd security requirement, I need the option to auto lock a normal user's account (root and those in the wheel group must be excluded) after let say, 3, login failures. I know this can cause a DoS issue but I HAVE to have the option of doing it in FreeBSD. Any info is appreciated Thanks. Mike C carlson39@llnl.gov Michael Carlson .oooooo..o ooo ooooo ooooooooo. ooooooooooooo d8P' `Y8 `88. .888' `888 `Y88. 8' 888 `8 Y88bo. 888b d'888 .oooo. 888 .d88' 888 `"Y8888o. 8 Y88. .P 888 `P )88b 888ooo88P' 888 (-.) `"Y88b 8 `888' 888 .oP"888 888`88b. 888 cc ) oo .d8P 8 Y 888 d8( 888 888 `88b. 888 3-n-( 8""88888P' o8o o888o `Y888""8o o888o o888o o888o _(|/`-> System Management and Related Technologies (925) 422-2958 Cell: 925-784-5987 From owner-freebsd-security@FreeBSD.ORG Thu Oct 30 10:35:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E62416A4CE for ; Thu, 30 Oct 2003 10:35:54 -0800 (PST) Received: from mail.numachi.com (meisai.numachi.com [198.175.254.6]) by mx1.FreeBSD.org (Postfix) with SMTP id 5797F43F3F for ; Thu, 30 Oct 2003 10:35:49 -0800 (PST) (envelope-from reichert@numachi.com) Received: (qmail 76813 invoked from network); 30 Oct 2003 18:35:46 -0000 Received: from natto.numachi.com (198.175.254.216) by meisai.numachi.com with SMTP; 30 Oct 2003 18:35:46 -0000 Received: (qmail 98196 invoked by uid 1001); 30 Oct 2003 18:35:46 -0000 Date: Thu, 30 Oct 2003 13:35:46 -0500 From: Brian Reichert To: Michael Carlson Message-ID: <20031030183546.GE91120@numachi.com> References: <5.1.1.6.0.20031030084448.03831060@popcorn.llnl.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.1.6.0.20031030084448.03831060@popcorn.llnl.gov> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: your mail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2003 18:35:54 -0000 On Thu, Oct 30, 2003 at 08:45:03AM -0800, Michael Carlson wrote: > > I have asked this before in -questions but due to a odd security > requirement, I need the option to auto lock a normal user's account > (root and those in the wheel group must be excluded) after let say, 3, > login failures. I know this can cause a DoS issue but I HAVE to have > the option of doing it in FreeBSD. I don't much experience with pam(8), but there is some mention of 'sessions' in the manpage: session - this group of tasks cover things that should be done prior to a service being given and after it is with- drawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory. The session management group is important as it provides both an open- ing and closing hook for modules to affect the services available to a user. Perhaps that's a place to introduce a hook for what you need... > Any info is appreciated > Thanks. > Mike C > carlson39@llnl.gov -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA BSD admin/developer at large From owner-freebsd-security@FreeBSD.ORG Thu Oct 30 13:05:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFC5816A4CE; Thu, 30 Oct 2003 13:05:13 -0800 (PST) Received: from omoikane.mb.skyweb.ca (209-5-243-50.mb.skyweb.ca [209.5.243.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0179D43FBF; Thu, 30 Oct 2003 13:05:11 -0800 (PST) (envelope-from mark@skyweb.ca) Received: by omoikane.mb.skyweb.ca (Postfix, from userid 1001) id 120B262FD2; Thu, 30 Oct 2003 15:05:10 -0600 (CST) Date: Thu, 30 Oct 2003 15:05:09 -0600 From: Mark Johnston To: security@freebsd.org Message-ID: <20031030210509.GA667@omoikane.mb.skyweb.ca> Mail-Followup-To: security@freebsd.org, net@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i cc: net@freebsd.org Subject: Using racoon-negotiated IPSec with ipfw and natd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2003 21:05:14 -0000 [ -netters, please Cc me or security@ with replies. ] I'm running into trouble integrating dynamic racoon-based IPSec into a network with ipfw and natd. I need to be able to allow VPN access from any address from authenticated clients. I've got the dynamic VPN working, with racoon negotiating SAs and installing SPs, but the problem is that I can't tell whether an incoming packet on the internal interface should go through natd or not. The problem looks like this. I have 3 boxes, mobile, gateway, and internal, and I'm trying to ping internal from mobile. - gateway receives an ESP packet from mobile (encapsulating a ping). - gateway decrypts and transmits an ICMP packet to internal with mobile's source address. - internal generates the ICMP response to mobile. - gateway receives the response, runs it through natd, and sends it out in the clear to mobile with gateway's source address. The packet is going out in the clear because after natd rewrites it, its source address is gateway's external interface - not part of the SP. What I want to accomplish, in pseudo-ipfw, is this: pass esp from any to me pass ip from known-sp-sources to 192.168.0.0/24 pass ip from 192.168.0.0/24 to known-sp-destinations divert natd from 192.168.0.0/24 to any deny ip from any to 192.168.0.0/24 pass ip from me to any keep-state All I'm missing is the known-sp definitions. If anyone has any pointers on doing this, please share. If I'm going about it totally bass-ackwards, I'd like to hear that too. :) Thanks, Mark From owner-freebsd-security@FreeBSD.ORG Thu Oct 30 14:43:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D84E016A4CE; Thu, 30 Oct 2003 14:43:27 -0800 (PST) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A30343FE5; Thu, 30 Oct 2003 14:43:26 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (sccrmhc11) with ESMTP id <2003103022432501100k862je>; Thu, 30 Oct 2003 22:43:25 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id h9UMhisb033295; Thu, 30 Oct 2003 14:43:44 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id h9UMhgai033294; Thu, 30 Oct 2003 14:43:42 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Thu, 30 Oct 2003 14:43:42 -0800 From: "Crist J. Clark" To: security@freebsd.org, net@freebsd.org Message-ID: <20031030224342.GA32640@blossom.cjclark.org> References: <20031030210509.GA667@omoikane.mb.skyweb.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031030210509.GA667@omoikane.mb.skyweb.ca> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ Subject: Re: Using racoon-negotiated IPSec with ipfw and natd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2003 22:43:28 -0000 On Thu, Oct 30, 2003 at 03:05:09PM -0600, Mark Johnston wrote: > [ -netters, please Cc me or security@ with replies. ] > > I'm running into trouble integrating dynamic racoon-based IPSec into a network > with ipfw and natd. I need to be able to allow VPN access from any address > from authenticated clients. I've got the dynamic VPN working, with racoon > negotiating SAs and installing SPs, but the problem is that I can't tell > whether an incoming packet on the internal interface should go through natd or > not. > > The problem looks like this. I have 3 boxes, mobile, gateway, and internal, > and I'm trying to ping internal from mobile. > > - gateway receives an ESP packet from mobile (encapsulating a ping). > - gateway decrypts and transmits an ICMP packet to internal with mobile's > source address. > - internal generates the ICMP response to mobile. > - gateway receives the response, runs it through natd, and sends it out in the > clear to mobile with gateway's source address. > > The packet is going out in the clear because after natd rewrites it, its source > address is gateway's external interface - not part of the SP. This shouldn't happen. IPsec processing of the outgoing packet happens _before_ it gets passed to ipfw(8) (which hands it to natd(8)) on the external interface. > What I want to > accomplish, in pseudo-ipfw, is this: > > pass esp from any to me > pass ip from known-sp-sources to 192.168.0.0/24 > pass ip from 192.168.0.0/24 to known-sp-destinations > divert natd from 192.168.0.0/24 to any This may be your problem. That rule should be something like, divert natd from 192.168.0.0/24 to any via ${external_if} Is that what you actually have? Are you doing NAT on the internal interface? That would confuse things. > deny ip from any to 192.168.0.0/24 > pass ip from me to any keep-state > > All I'm missing is the known-sp definitions. If anyone has any pointers on > doing this, please share. If I'm going about it totally bass-ackwards, I'd > like to hear that too. :) -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-security@FreeBSD.ORG Fri Oct 31 03:40:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C47416A4CE for ; Fri, 31 Oct 2003 03:40:48 -0800 (PST) Received: from relay2.mecon.ar (relay2.mecon.gov.ar [168.101.16.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF63843FA3 for ; Fri, 31 Oct 2003 03:40:45 -0800 (PST) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (racing.mecon.gov.ar [168.101.133.15]) by relay2.mecon.ar (8.12.6p2/8.12.6) with ESMTP id h9VBegJs067897; Fri, 31 Oct 2003 08:40:43 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from racing.mecon.ar (meyosp.mecon.gov.ar [10.11.0.149]) by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id h9VBcMSI098018; Fri, 31 Oct 2003 08:38:23 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (bal740r0.mecon.ar [10.11.1.11]) by racing.mecon.ar (8.12.8p2/8.12.8) with ESMTP id h9VBcMLB098015; Fri, 31 Oct 2003 08:38:22 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: from bal740r0.mecon.gov.ar (localhost [127.0.0.1]) h9VBcQTg010309; Fri, 31 Oct 2003 08:38:26 -0300 (ART) (envelope-from fernando@mecon.gov.ar) Received: (from fpscha@localhost) by bal740r0.mecon.gov.ar (8.12.8p2/8.12.6/Submit) id h9VBcPOP010308; Fri, 31 Oct 2003 08:38:25 -0300 (ART) (envelope-from fernando@mecon.gov.ar) X-Authentication-Warning: bal740r0.mecon.gov.ar: fpscha set sender to fernando@mecon.gov.ar using -f Date: Fri, 31 Oct 2003 08:38:25 -0300 From: Fernando Schapachnik To: Brian Reichert Message-ID: <20031031113825.GC10247@bal740r0.mecon.gov.ar> References: <5.1.1.6.0.20031030084448.03831060@popcorn.llnl.gov> <20031030183546.GE91120@numachi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20031030183546.GE91120@numachi.com> User-Agent: Mutt/1.4.1i X-OS: FreeBSD 4.7 - http://www.freebsd.org cc: freebsd-security@freebsd.org cc: Michael Carlson Subject: Re: your mail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Oct 2003 11:40:48 -0000 En un mensaje anterior, Brian Reichert escribió: > On Thu, Oct 30, 2003 at 08:45:03AM -0800, Michael Carlson wrote: > I don't much experience with pam(8), but there is some mention of > 'sessions' in the manpage: [...] > Perhaps that's a place to introduce a hook for what you need... Or, in a more hackish way, you can have a daemon that monitors "login failure" in the logs and acts on them. Good luck. From owner-freebsd-security@FreeBSD.ORG Fri Oct 31 07:45:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27B3416A4CE; Fri, 31 Oct 2003 07:45:27 -0800 (PST) Received: from omoikane.mb.skyweb.ca (209-5-243-50.mb.skyweb.ca [209.5.243.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1EFC743F3F; Fri, 31 Oct 2003 07:45:26 -0800 (PST) (envelope-from mark@skyweb.ca) Received: by omoikane.mb.skyweb.ca (Postfix, from userid 1001) id E5D2462756; Fri, 31 Oct 2003 09:45:25 -0600 (CST) Date: Fri, 31 Oct 2003 09:45:25 -0600 From: Mark Johnston To: "Crist J. Clark" Message-ID: <20031031154525.GA985@omoikane.mb.skyweb.ca> Mail-Followup-To: "Crist J. Clark" , security@freebsd.org, net@freebsd.org References: <20031030210509.GA667@omoikane.mb.skyweb.ca> <20031030224342.GA32640@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031030224342.GA32640@blossom.cjclark.org> User-Agent: Mutt/1.4.1i cc: net@freebsd.org cc: security@freebsd.org Subject: (long) Re: Using racoon-negotiated IPSec with ipfw and natd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Oct 2003 15:45:27 -0000 "Crist J. Clark" wrote: > On Thu, Oct 30, 2003 at 03:05:09PM -0600, Mark Johnston wrote: > > - gateway receives an ESP packet from mobile (encapsulating a ping). > > - gateway decrypts and transmits an ICMP packet to internal with mobile's > > source address. > > - internal generates the ICMP response to mobile. > > - gateway receives the response, runs it through natd, and sends it out in the > > clear to mobile with gateway's source address. > > This shouldn't happen. IPsec processing of the outgoing packet happens > _before_ it gets passed to ipfw(8) (which hands it to natd(8)) on the > external interface. That's odd. To simplify the situation a bit, I'm testing with a static SP/SA set. The SPs in place are: 172.21.0.0/16[any] 192.168.15.0/24[any] any in ipsec esp/tunnel/remoteext-localext/require spid=122 seq=1 pid=12464 refcnt=1 192.168.15.0/24[any] 172.21.0.0/16[any] any out ipsec esp/tunnel/localext-remoteext/require spid=121 seq=0 pid=12464 refcnt=1 (The external IPs are missing but the rest is unchanged.) I can break and fix the connection by adding and removing firewall rules allowing the traffic before the natd divert. > > What I want to > > accomplish, in pseudo-ipfw, is this: > > > > pass esp from any to me > > pass ip from known-sp-sources to 192.168.0.0/24 > > pass ip from 192.168.0.0/24 to known-sp-destinations > > divert natd from 192.168.0.0/24 to any > > This may be your problem. That rule should be something like, > > divert natd from 192.168.0.0/24 to any via ${external_if} > > Is that what you actually have? Are you doing NAT on the internal > interface? That would confuse things. I'm not sure what you mean by "doing NAT". The natd interface (-n) is the external one, but I'm diverting to natd using a recv rule on the internal interface. The natd setup is a bit hairy, because the box has a DMZ interface (dc0) along with external (fxp0) and internal (txp0) NICs, which is bridged (dc0-fxp0) instead of routed to match a legacy config. Here's my current ipfw setup: 00100 allow esp from any to me 00200 allow ah from any to me 00205 allow udp from any to me dst-port 500 00210 allow ip from 192.168.15.0/24 to 172.21.0.0/16 00220 allow ip from 172.21.0.0/16 to 192.168.15.0/24 [ more bidirectional allow rules ] 00300 deny ip from any to 192.168.15.0/24 in recv fxp0 00400 deny ip from any to 192.168.15.0/24 in recv dc0 00500 divert 8669 ip from 192.168.15.0/24 to not me recv txp0 00600 divert 8668 ip from any to me in recv fxp0 00700 divert 8668 ip from any to me in recv dc0 00800 allow ip from 192.168.15.0/24 to any recv txp0 00900 allow ip from any to 192.168.15.0/24 01000 check-state [ some allows and denies for fxp0<->dc0 ] 01800 allow ip from 192.168.15.0/24 to me 01900 allow ip from me to any keep-state 65535 deny ip from any to any Because of the DMZ, I had to tweak the natd setup to use -i 8668 -o 8669 - if I diverted everything to 8668 and didn't use -i and -o, it was interpreting dc0 as "inside", and I couldn't communicate with the DMZ from the LAN. With these rules in place, everything works fine, and I can ping across the IPsec link. If I delete 210 and 220, I start to see the pings on fxp0 destined to the 172.21.x.x address from my external IP. Also, sysctl.conf has some variables related to the config: net.inet.ip.fw.one_pass=0 net.link.ether.bridge_cfg=fxp0,dc0 net.link.ether.bridge=1 net.link.ether.bridge_ipfw=1 net.key.prefered_oldsa=0 Thanks for your help with this. I guess that the trouble is that I don't totally grok the ipfw/natd/ipsec tie-ins. Mark