From owner-freebsd-security@FreeBSD.ORG Sun Jan 4 23:27:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B055F16A4D5 for ; Sun, 4 Jan 2004 23:27:57 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 8118743D2F for ; Sun, 4 Jan 2004 23:27:32 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 5504 invoked from network); 5 Jan 2004 07:25:15 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 5 Jan 2004 07:25:14 -0000 Received: (qmail 5768 invoked by uid 1000); 5 Jan 2004 07:28:33 -0000 Date: Mon, 5 Jan 2004 09:28:33 +0200 From: Peter Pentchev To: Jaroslaw Nozderko Message-ID: <20040105072833.GA691@straylight.m.ringlet.net> Mail-Followup-To: Jaroslaw Nozderko , freebsd-security@freebsd.org References: <200401030050.24139.jarek@eko.net.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline In-Reply-To: <200401030050.24139.jarek@eko.net.pl> User-Agent: Mutt/1.5.5.1i cc: freebsd-security@freebsd.org Subject: Re: Questions about MAC X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2004 07:27:57 -0000 --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 03, 2004 at 12:50:24AM +0100, Jaroslaw Nozderko wrote: > FreeBSD 5.1-RELEASE >=20 > Hi, >=20 > I'm examining Biba and MLS MAC policies and something is > not clear for me. Unless I'm doing something wrong, > it seems policies are enforced only for reading, but > not writing. >=20 > 1) Biba >=20 > I've created test file with biba/127 label: >=20 > $ echo "Message" > file_biba_127.txt >=20 > $ setfmac biba/127 file_biba_127.txt [snip] > - Writing: >=20 > $ setpmac biba/high echo "High" >> file_biba_127.txt >=20 > $ setpmac biba/128 echo "128" >> file_biba_127.txt >=20 > $ setpmac biba/127 echo "127" >> file_biba_127.txt >=20 > -- Should the following 2 commands succeed ? > $ setpmac biba/126 echo "126" >> file_biba_127.txt > $ setpmac biba/low echo "low" >> file_biba_127.txt What happens if you try: setpmac biba/126 sh -c 'echo "126" >> file_biba_127.txt' setpmac biba/low sh -c 'echo "126" >> file_biba_127.txt' Using your commands, the policy set by setpmac(8) only applies to the echo command itself, not to the attempt to write to the file. The file appending is handled by your shell - all redirections are handled by the shell - and the shell is *not* subject to policy restrictions set by its own child processes. This is the same "issue" that you can see by trying the following: [roam@straylight ~]> whoami roam [roam@straylight ~]> who am i roam ttyp3 5 =DF=ED=F3 08:42 (10.0.12.18:S.3) [roam@straylight ~]> id uid=3D1000(roam) gid=3D0(wheel) groups=3D0(wheel), 5(operator) [roam@straylight ~]> sudo touch foo otp-md5 452 st7459 ext Password: [roam@straylight ~]> sudo chmod 600 foo [roam@straylight ~]> cat foo cat: foo: Permission denied [roam@straylight ~]> sudo echo blah >> foo foo: Permission denied. [roam@straylight ~]> sudo sh -c 'echo blah >> foo' [roam@straylight ~]> cat foo cat: foo: Permission denied [roam@straylight ~]> sudo cat foo blah [roam@straylight ~]> The 'sudo echo blah >> foo' command does not succeed, since the redirection is attempted by my own shell still running as my own account, 'roam', which does not have write access to the new file; only the 'echo blah' command is executed with root privileges. The next attempt, executing a shell to perform the redirection, succeeds. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I've heard that this sentence is a rumor. --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQE/+RIh7Ri2jRYZRVMRArJ4AKCFXYAVIdKSLSk8VzVtsGCBVbkFzQCeMLb5 SddHMa+T+ddivolfaWWI+Wk= =hSjr -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 6 13:04:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 085D116A4CE for ; Tue, 6 Jan 2004 13:04:35 -0800 (PST) Received: from web60806.mail.yahoo.com (web60806.mail.yahoo.com [216.155.196.69]) by mx1.FreeBSD.org (Postfix) with SMTP id BED7A43D1D for ; Tue, 6 Jan 2004 13:04:33 -0800 (PST) (envelope-from richard_bejtlich@yahoo.com) Message-ID: <20040106210430.28516.qmail@web60806.mail.yahoo.com> Received: from [68.84.6.72] by web60806.mail.yahoo.com via HTTP; Tue, 06 Jan 2004 13:04:30 PST Date: Tue, 6 Jan 2004 13:04:30 -0800 (PST) From: Richard Bejtlich To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Logging user activities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2004 21:04:35 -0000 Hello, What do you recommend for keeping track of user activities? For preserving bash histories I followed these recommendations: http://www.defcon1.org/secure-command.html They include using 'chflags sappnd .bash_history', enabling process accounting, and the like. My goal is to "watch the watchers," i.e. watch for abuse of power by SOC people with the ability to view traffic captured by sniffers. I plan to use sudo to limit and audit user activities too. I may also try some of the patches to bash listed at project.honeynet.org which send keystrokes to a remote server. Hardware keystroke logging is always a possibility. For more, should I turn to TrustedBSD integration in a future 5.x release? Thank you, Richard Bejtlich http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus From owner-freebsd-security@FreeBSD.ORG Tue Jan 6 13:14:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD9FA16A4CE for ; Tue, 6 Jan 2004 13:14:41 -0800 (PST) Received: from web60402.mail.yahoo.com (web60402.mail.yahoo.com [216.109.118.185]) by mx1.FreeBSD.org (Postfix) with SMTP id A918443D53 for ; Tue, 6 Jan 2004 13:14:40 -0800 (PST) (envelope-from twigles@yahoo.com) Message-ID: <20040106211439.56099.qmail@web60402.mail.yahoo.com> Received: from [68.5.51.136] by web60402.mail.yahoo.com via HTTP; Tue, 06 Jan 2004 13:14:39 PST Date: Tue, 6 Jan 2004 13:14:39 -0800 (PST) From: twig les To: Richard Bejtlich , freebsd-security@freebsd.org In-Reply-To: <20040106210430.28516.qmail@web60806.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Logging user activities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2004 21:14:41 -0000 --- Richard Bejtlich wrote: > > My goal is to "watch the watchers," i.e. watch for > abuse of power by SOC people with the ability to view > traffic captured by sniffers. > Have you considered snooping ttys (man watch, man snp)? It doesn't seem to be scalable, but I've only tinkered. ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus From owner-freebsd-security@FreeBSD.ORG Tue Jan 6 15:37:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74CFB16A4D0 for ; Tue, 6 Jan 2004 15:37:36 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BA5143D5D for ; Tue, 6 Jan 2004 15:37:27 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.24; FreeBSD) id 1Ae0lJ-000LDn-9Y; Tue, 06 Jan 2004 23:37:25 +0000 Date: Tue, 6 Jan 2004 23:37:25 +0000 From: Jez Hancock To: Richard Bejtlich Message-ID: <20040106233725.GA78250@users.munk.nu> Mail-Followup-To: Richard Bejtlich , freebsd-security@freebsd.org References: <20040106210430.28516.qmail@web60806.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040106210430.28516.qmail@web60806.mail.yahoo.com> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Logging user activities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2004 23:37:36 -0000 On Tue, Jan 06, 2004 at 01:04:30PM -0800, Richard Bejtlich wrote: > What do you recommend for keeping track of user > activities? For preserving bash histories I followed > these recommendations: > > http://www.defcon1.org/secure-command.html This was a very interesting article, thanks for that. I made a note of it on my blog where you can also find a perl script I wrote a while ago to report on the history usage of all users logging in on a certain date - I run it daily via cron to report on shell usage for the current day. The article is here: http://jez.hancock-family.com/archives/37_Securing_Users_Shell_Command_History.html > My goal is to "watch the watchers," i.e. watch for > abuse of power by SOC people with the ability to view > traffic captured by sniffers. > > I plan to use sudo to limit and audit user activities > too. I may also try some of the patches to bash > listed at project.honeynet.org which send keystrokes > to a remote server. Hardware keystroke logging is > always a possibility. As someone already mentioned, the snp driver is used by the watch(8) utility to allow an admin to snoop on what users are doing on a tty. This even allows you as an admin to actually interact with another user's tty session (never fails to be amusing:P) and can be a very good tool to help when demonstrating something for a user in their shell. There's a good article on setting up watch(8) here: http://www.freebsddiary.org/watch.php There's also a port around that uses snp to log tty sessions. IIRC the app is in /usr/ports/security/termlog - when I had a brief look at it it didn't seem too practical for logging all user's tty sessions, but it might give you some ideas. Good luck. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - personal weblog http://ipfwstats.sf.net/ - ipfw peruser traffic logging From owner-freebsd-security@FreeBSD.ORG Tue Jan 6 16:18:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8602516A4CE for ; Tue, 6 Jan 2004 16:18:49 -0800 (PST) Received: from mail.modwest.com (marshall.modwest.com [216.129.251.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8150443D2D for ; Tue, 6 Jan 2004 16:18:47 -0800 (PST) (envelope-from Shes@virtualdesire.org) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.modwest.com (Postfix) with ESMTP id 05DF840F79FC; Tue, 6 Jan 2004 17:18:47 -0700 (MST) Received: from mail.modwest.com ([127.0.0.1]) by localhost (marshall.modwest.com [127.0.0.1]) (amavisd-new) with ESMTP id 24971-17; Tue, 6 Jan 2004 17:18:46 -0000 (MST) Received: from modwest.com (gunsight.modwest.com [216.129.251.23]) by mail.modwest.com (Postfix) with SMTP id C5B9D40F7748; Tue, 6 Jan 2004 17:18:46 -0700 (MST) Received: from 62.202.47.216 (SquirrelMail authenticated user shes) by my.modwest.com with HTTP; Wed, 7 Jan 2004 01:18:46 +0100 (CET) Message-ID: <10408.62.202.47.216.1073434726.squirrel@my.modwest.com> Date: Wed, 7 Jan 2004 01:18:46 +0100 (CET) From: "Yoan Talagrand" To: In-Reply-To: <20040106233725.GA78250@users.munk.nu> References: <20040106210430.28516.qmail@web60806.mail.yahoo.com> <20040106233725.GA78250@users.munk.nu> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.10) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by amavisd-new amavisd-new-20020630 cc: freebsd-security@freebsd.org cc: richard_bejtlich@yahoo.com Subject: Re: Logging user activities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2004 00:18:49 -0000 There is many tools/ways to log users activities, it depends on what you are trying to get and how you want it. A quick and easy way to do so is to basicly patch some shells... ie bash with a tool such bash-bofh (We do use it on major servers with approximativly 500 shell users, it's working fine for our use.) I've wrote a script once who, completed with such logging system, allowed you to restrict dynamicly users actions. It worked with blacklist commands, etc... You can do one easyly. Offcourse only one method isn't enough, you need to add many protections, begining with users/groups access. Yoan Talagrand -- virtualdesire dot org design hosting innovation > On Tue, Jan 06, 2004 at 01:04:30PM -0800, Richard Bejtlich wrote: >> What do you recommend for keeping track of user >> activities? For preserving bash histories I followed >> these recommendations: >> >> http://www.defcon1.org/secure-command.html > This was a very interesting article, thanks for that. I made a note of > it on my blog where you can also find a perl script I wrote a while ago > to report on the history usage of all users logging in on a certain date > - I run it daily via cron to report on shell usage for the current day. > > The article is here: > > http://jez.hancock-family.com/archives/37_Securing_Users_Shell_Command_History.html > >> My goal is to "watch the watchers," i.e. watch for >> abuse of power by SOC people with the ability to view >> traffic captured by sniffers. >> >> I plan to use sudo to limit and audit user activities >> too. I may also try some of the patches to bash >> listed at project.honeynet.org which send keystrokes >> to a remote server. Hardware keystroke logging is >> always a possibility. > As someone already mentioned, the snp driver is used by the watch(8) > utility to allow an admin to snoop on what users are doing on a tty. > This even allows you as an admin to actually interact with another > user's tty session (never fails to be amusing:P) and can be a very good > tool to help when demonstrating something for a user in their shell. > > There's a good article on setting up watch(8) here: > > http://www.freebsddiary.org/watch.php > > There's also a port around that uses snp to log tty sessions. > IIRC the app is in /usr/ports/security/termlog - when I had a > brief look at it it didn't seem too practical for logging all user's tty > sessions, but it might give you some ideas. > > Good luck. > > -- > Jez Hancock > - System Administrator / PHP Developer > > http://munk.nu/ > http://jez.hancock-family.com/ - personal weblog > http://ipfwstats.sf.net/ - ipfw peruser traffic logging > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Jan 6 18:31:37 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 908B316A508 for ; Tue, 6 Jan 2004 18:31:37 -0800 (PST) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB59843D3F for ; Tue, 6 Jan 2004 18:31:32 -0800 (PST) (envelope-from freebsd-security@dfmm.org) Received: (qmail 5524 invoked by uid 1000); 7 Jan 2004 02:31:31 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 Jan 2004 02:31:31 -0000 Date: Tue, 6 Jan 2004 18:31:31 -0800 (PST) From: Jason Stone X-X-Sender: jason@walter To: freebsd-security@freebsd.org In-Reply-To: <20040106210430.28516.qmail@web60806.mail.yahoo.com> Message-ID: <20040106175055.X3696@walter> References: <20040106210430.28516.qmail@web60806.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Richard Bejtlich Subject: Re: Logging user activities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2004 02:31:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > What do you recommend for keeping track of user > activities? For preserving bash histories I followed > these recommendations: > > http://www.defcon1.org/secure-command.html > > They include using 'chflags sappnd .bash_history', I think that this has come up on this list before - check the archives. anyway, my feeling on this is that relying on shell history tricks is entirely the wrong approach - anyone who's going to be abusing a system is going to turn off shell history first thing. Any silly tricks you do to try and prevent that can easily be worked around by using another shell, or by running commands through a mechanism other than the shell (:!command in vi, cat | xargs perl -ple 'system "$_"', etc). sniffing tty's is a step up, though it's still possible to log in through ssh/rsh and run commands without allocating a tty. be cautious about sniffing tty's, though - if users log into other systems from this system, or if they connect to services running locally that require authentication, you'll be collecting a tidy pile of very sensitive information all in one place, making for easy stealing. consider using crypto, streaming to another, more hardened host, securely destroying the logs on a regular basis, etc. and of course you should consider the legal and ethical issues implicated by keystroke logging.... finally, process accounting will universally collect info on every process that gets run, but it looks like it doesn't log arguments and that it caps command names to sixteen characters, which is kind of limiting. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/+2+DswXMWWtptckRArPiAKCQHnlWgWothPwydKju+4NAOwDqQwCfSJVD aVA1fq9IUiBhYFh0yAShcVQ= =pNg+ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Jan 7 02:55:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B042216A4CE; Wed, 7 Jan 2004 02:55:16 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64EF343D48; Wed, 7 Jan 2004 02:55:15 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 14C49530C; Wed, 7 Jan 2004 11:55:13 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 0FC195308; Wed, 7 Jan 2004 11:55:06 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 7F44633C9A; Wed, 7 Jan 2004 11:55:06 +0100 (CET) To: current@freebsd.org From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Wed, 07 Jan 2004 11:55:06 +0100 Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.1 required=5.0 tests=RCVD_IN_SORBS autolearn=no version=2.60 X-Mailman-Approved-At: Wed, 07 Jan 2004 07:37:38 -0800 Subject: HEADS UP: OpenSSH 3.7.1p2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2004 10:55:16 -0000 OpenSSH 3.7.1p2 will hit -CURRENT some time within the next hour. Please be careful when upgrading remote systems. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Jan 7 12:37:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0E2E16A4CE for ; Wed, 7 Jan 2004 12:37:10 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9135F43D2D for ; Wed, 7 Jan 2004 12:37:09 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i07KZIUd010601; Wed, 7 Jan 2004 15:35:18 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i07KYu9D010583; Wed, 7 Jan 2004 15:35:00 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Wed, 7 Jan 2004 15:34:56 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Peter Pentchev In-Reply-To: <20040105072833.GA691@straylight.m.ringlet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org cc: Jaroslaw Nozderko Subject: Re: Questions about MAC X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2004 20:37:10 -0000 On Mon, 5 Jan 2004, Peter Pentchev wrote: > The 'sudo echo blah >> foo' command does not succeed, since the > redirection is attempted by my own shell still running as my own > account, 'roam', which does not have write access to the new file; only > the 'echo blah' command is executed with root privileges. The next > attempt, executing a shell to perform the redirection, succeeds. FYI, sudo hasn't been modified to set MAC labels, so if you do use sudo, use it carefully. It might make sense to stick sudo in the base tree someday (Apple does this with Darwin), and if so, it would be ripe for the picking when it comes to adding MAC support. Your diagnosis of the redirect running with the wrong label sounds correct to me, also FYI. :-) Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research From owner-freebsd-security@FreeBSD.ORG Wed Jan 7 12:39:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A59AB16A4CE for ; Wed, 7 Jan 2004 12:39:24 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 593D143D41 for ; Wed, 7 Jan 2004 12:39:23 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i07Kc0Ud010638; Wed, 7 Jan 2004 15:38:00 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i07Kc0Uf010635; Wed, 7 Jan 2004 15:38:00 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Wed, 7 Jan 2004 15:38:00 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Richard Bejtlich In-Reply-To: <20040106210430.28516.qmail@web60806.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Logging user activities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2004 20:39:24 -0000 On Tue, 6 Jan 2004, Richard Bejtlich wrote: > What do you recommend for keeping track of user activities? For > preserving bash histories I followed these recommendations: > > http://www.defcon1.org/secure-command.html > > They include using 'chflags sappnd .bash_history', enabling process > accounting, and the like. > > My goal is to "watch the watchers," i.e. watch for abuse of power by SOC > people with the ability to view traffic captured by sniffers. > > I plan to use sudo to limit and audit user activities too. I may also > try some of the patches to bash listed at project.honeynet.org which > send keystrokes to a remote server. Hardware keystroke logging is > always a possibility. > > For more, should I turn to TrustedBSD integration in a future 5.x > release? One of the "Coming soon" features for the next year will be Audit support for FreeBSD, based on some work we did on a related operating system platform. There's been some prior work on Audit on FreeBSD, but it's never been completed and merged. However, Audit requires some fairly extensive changes, so I wouldn't look for it before August of 2004, I think. I've been vaguely thinking about taking a few weeks off work to jumpstart it, but I haven't really found time. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research From owner-freebsd-security@FreeBSD.ORG Wed Jan 7 19:50:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 006DD16A4CE for ; Wed, 7 Jan 2004 19:50:52 -0800 (PST) Received: from hotmail.com (bay8-dav29.bay8.hotmail.com [64.4.26.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 22BCB43D62 for ; Wed, 7 Jan 2004 19:50:51 -0800 (PST) (envelope-from jack_xiao99@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 7 Jan 2004 19:50:51 -0800 Received: from 24.192.127.147 by bay8-dav29.bay8.hotmail.com with DAV; Thu, 08 Jan 2004 03:50:50 +0000 X-Originating-IP: [24.192.127.147] X-Originating-Email: [jack_xiao99@hotmail.com] X-Sender: jack_xiao99@hotmail.com From: "Jack Xiao" To: , Date: Wed, 7 Jan 2004 22:50:56 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 Message-ID: X-OriginalArrivalTime: 08 Jan 2004 03:50:51.0006 (UTC) FILETIME=[9BAE09E0:01C3D59A] Subject: rekeying problem between isakmpd and cisco 7000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 03:50:52 -0000 Hi, I have a rekeying problem between FreeBSD4.9 (running isakmpd) and a Cisco 7000 box. The rekeying time of these two are not same, so even they new SAs are created on isakmpd side, the tunnel doesn't work at all. On isakmpd side, I know it creates new SA when SA life time passes 90%. But I don't know when Cisco builds the new SAs. I don't have much knowledge on Cisco and I cannot look at the Cisco side debug information either for now. Does anyone have similar experience? Any solutions in isakmpd itself can fix that? Thanks in advance! Jack From owner-freebsd-security@FreeBSD.ORG Wed Jan 7 20:15:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53A8C16A4CE for ; Wed, 7 Jan 2004 20:15:39 -0800 (PST) Received: from smtp807.mail.sc5.yahoo.com (smtp807.mail.sc5.yahoo.com [66.163.168.186]) by mx1.FreeBSD.org (Postfix) with SMTP id 9523D43D46 for ; Wed, 7 Jan 2004 20:15:37 -0800 (PST) (envelope-from fscked@pacbell.net) Received: from unknown (HELO pacbell.net) (fscked@pacbell.net@64.171.190.6 with plain) by smtp807.mail.sc5.yahoo.com with SMTP; 8 Jan 2004 04:15:37 -0000 Message-ID: <3FFCD954.4090106@pacbell.net> Date: Wed, 07 Jan 2004 20:15:16 -0800 From: richard childers / kg6hac Organization: Daemonized Networking Services - http://www.daemonized.com User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20040107200059.0D9DF16A4D9@hub.freebsd.org> In-Reply-To: <20040107200059.0D9DF16A4D9@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: keystroke logging X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fscked@pacbell.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 04:15:39 -0000 > > >What do you recommend for keeping track of user >activities? For preserving bash histories I followed >these recommendations: > >http://www.defcon1.org/secure-command.html > Interesting reading but, as others have noted, of limited use. Keystroke logging can be disabled by - as others have noted - either spawning another (perhaps different) shell, using a remote shell ... or, for those embarrassing 'oops' moments, `kill -9 $$` works nicely. Try it and see. Daemonized Networking Services has produced a standalone server configuration that uses a modified script(1) and .login to collect keystroke logs; the target users are consultants, or companies, whom administer highly secure networking equipment via serial links or command-line interfaces, and whose own business files, or customers - banks, say, or government agencies - require logs of what they did - for purposes of auditing, disaster recovery, and liability-related issues. This method captures every keystroke - including typos before hitting RETURN - and cannot be sabotaged. As an added advantage, the logs can be immediately, or subsequently, forwarded via electronic mail, so that they are replicated in multiple places. We also have a network server configuration that incorporates everything described above, as well as an encrypted filesystem; although the encrypted filesystem is optional, and there are some unresolved issues related to backing up the contents - as well as recovering them - your entire home directory, including your personal startup files, are incorporated into the encrypted filesystem. Pretty cool; add a GUI, maybe an office suite, and we think we can give Windows 2000 a run for their money - in some quarters, at least. (Angel VCs are welcome; development isn't cheap, here in the Bay Area.) I mention this as a shameless plug for our products, which are based on FreeBSD, as well as pursuant to the topic at hand; incidentally, freely dispensing intellectual property that took years to acquire, in exchange. (Gotta stop that.) (You folks all signed NDAs, right?) (-; Regards, -- richard -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 https://www.daemonized.com From owner-freebsd-security@FreeBSD.ORG Wed Jan 7 23:45:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 007AB16A4CE for ; Wed, 7 Jan 2004 23:45:00 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id C33F043D49 for ; Wed, 7 Jan 2004 23:44:53 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 10039 invoked from network); 8 Jan 2004 07:42:37 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 8 Jan 2004 07:42:36 -0000 Received: (qmail 6397 invoked by uid 1000); 8 Jan 2004 07:44:50 -0000 Date: Thu, 8 Jan 2004 09:44:50 +0200 From: Peter Pentchev To: richard childers / kg6hac Message-ID: <20040108074450.GD692@straylight.m.ringlet.net> Mail-Followup-To: richard childers / kg6hac , freebsd-security@freebsd.org References: <20040107200059.0D9DF16A4D9@hub.freebsd.org> <3FFCD954.4090106@pacbell.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="C1iGAkRnbeBonpVg" Content-Disposition: inline In-Reply-To: <3FFCD954.4090106@pacbell.net> User-Agent: Mutt/1.5.5.1i cc: freebsd-security@freebsd.org Subject: Re: keystroke logging X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 07:45:00 -0000 --C1iGAkRnbeBonpVg Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 07, 2004 at 08:15:16PM -0800, richard childers / kg6hac wrote: > > > > > >What do you recommend for keeping track of user > >activities? For preserving bash histories I followed > >these recommendations: > > > >http://www.defcon1.org/secure-command.html > > > Interesting reading but, as others have noted, of limited use. >=20 > Keystroke logging can be disabled by - as others have noted - either=20 > spawning another (perhaps different) shell, using a remote shell ... or,= =20 > for those embarrassing 'oops' moments, `kill -9 $$` works nicely. Try it= =20 > and see. >=20 > Daemonized Networking Services has produced a standalone server=20 > configuration that uses a modified script(1) and .login to collect=20 > keystroke logs; the target users are consultants, or companies, whom=20 > administer highly secure networking equipment via serial links or=20 > command-line interfaces, and whose own business files, or customers -=20 > banks, say, or government agencies - require logs of what they did - for= =20 > purposes of auditing, disaster recovery, and liability-related issues. >=20 > This method captures every keystroke - including typos before hitting=20 > RETURN - and cannot be sabotaged. As an added advantage, the logs can be= =20 > immediately, or subsequently, forwarded via electronic mail, so that=20 > they are replicated in multiple places. I hope you've taken into consideration the fact that script(1) by default does not make any modifications to stdio's standard input/output buffering. Thus, the script files it creates are fully-buffered by default, which for normal files means that they are only actually written to when the buffer fills up, and the buffer is usually 1K to 8K in size (although I've seen systems with a BUFSIZ of 32K). This means that if anyone kills the script(1) process before the output has reached 1K (or 4K, or whatever) in size, *no* output will be logged, and even if the script process is killed afterwards, some of the output will be lost. Consider: [roam@straylight ~]> echo $$ 5781 [roam@straylight ~]> script outfile Script started, output file is outfile Starting interactive C shell [roam@straylight ~]> echo $$ 5914 [roam@straylight ~]> ps -o ppid -p $$ PPID 5913 [roam@straylight ~]> kill -HUP 5913Hangup [roam@straylight ~]> echo $$ 5781 [roam@straylight ~]> cat outfile Script started on Thu Jan 8 09:20:17 2004 [roam@straylight ~]> The -t option is of some help, although -t 0 could be implemented a bit more efficiently with the attached patch. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence is false. Index: src/usr.bin/script/script.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/usr.bin/script/script.c,v retrieving revision 1.20 diff -u -r1.20 script.c --- src/usr.bin/script/script.c 4 Sep 2002 23:29:06 -0000 1.20 +++ src/usr.bin/script/script.c 8 Jan 2004 07:39:00 -0000 @@ -150,10 +150,12 @@ if (child =3D=3D 0) doshell(argv); =20 - if (flushtime > 0) + if (flushtime > 0) { tvp =3D &tv; - else + } else { + setvbuf(fscript, NULL, _IONBF, 0); tvp =3D NULL; + } =20 start =3D time(0); FD_ZERO(&rfd); @@ -187,7 +189,7 @@ (void)fwrite(obuf, 1, cc, fscript); } tvec =3D time(0); - if (tvec - start >=3D flushtime) { + if (flushtime > 0 && tvec - start >=3D flushtime) { fflush(fscript); start =3D tvec; } --C1iGAkRnbeBonpVg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQE//Qpy7Ri2jRYZRVMRAodqAKC2oTjR0xCWzBQOxyBdmgzbVRX7JACfZlIs m9qbwW6jGWHFqZniHz2Y04g= =Kz5a -----END PGP SIGNATURE----- --C1iGAkRnbeBonpVg-- From owner-freebsd-security@FreeBSD.ORG Thu Jan 8 02:23:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F43616A4CE for ; Thu, 8 Jan 2004 02:23:04 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82A3B43D2F for ; Thu, 8 Jan 2004 02:23:01 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 3BE01530A; Thu, 8 Jan 2004 11:23:00 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 3DA345308 for ; Thu, 8 Jan 2004 11:22:53 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id C45C133C9A; Thu, 8 Jan 2004 11:22:52 +0100 (CET) To: security@freebsd.org References: From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Thu, 08 Jan 2004 11:22:52 +0100 In-Reply-To: (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav's?= message of "Wed, 07 Jan 2004 11:55:06 +0100") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.1 required=5.0 tests=RCVD_IN_SORBS autolearn=no version=2.60 Subject: Re: HEADS UP: OpenSSH 3.7.1p2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 10:23:04 -0000 I've had some people ask me (in a very worried tone) if this was a critical update. So, for those of you who have been living under a rock: 3.7.1p2 shipped late last September. If it was a critical update, I wouldn't have waited four months to commit it. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Jan 8 05:47:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47B1D16A4CE for ; Thu, 8 Jan 2004 05:47:49 -0800 (PST) Received: from smtp810.mail.sc5.yahoo.com (smtp810.mail.sc5.yahoo.com [66.163.170.80]) by mx1.FreeBSD.org (Postfix) with SMTP id 77C1C43D45 for ; Thu, 8 Jan 2004 05:47:46 -0800 (PST) (envelope-from fscked@pacbell.net) Received: from unknown (HELO pacbell.net) (fscked@pacbell.net@64.171.190.6 with plain) by smtp810.mail.sc5.yahoo.com with SMTP; 8 Jan 2004 13:47:45 -0000 Message-ID: <3FFD5F6A.4080802@pacbell.net> Date: Thu, 08 Jan 2004 05:47:22 -0800 From: richard childers / kg6hac Organization: Daemonized Networking Services - http://www.daemonized.com User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Pentchev References: <20040107200059.0D9DF16A4D9@hub.freebsd.org> <3FFCD954.4090106@pacbell.net> <20040108074450.GD692@straylight.m.ringlet.net> In-Reply-To: <20040108074450.GD692@straylight.m.ringlet.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-security@freebsd.org Subject: Re: keystroke logging X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fscked@pacbell.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 13:47:49 -0000 I did say 'modified' script(1), yes, the obvious has been taken into account. Thanks for pointing it out, though !! -- richard Peter Pentchev wrote: >On Wed, Jan 07, 2004 at 08:15:16PM -0800, richard childers / kg6hac wrote: > > >>>What do you recommend for keeping track of user >>>activities? For preserving bash histories I followed >>>these recommendations: >>> >>>http://www.defcon1.org/secure-command.html >>> >>> >>> >>Interesting reading but, as others have noted, of limited use. >> >>Keystroke logging can be disabled by - as others have noted - either >>spawning another (perhaps different) shell, using a remote shell ... or, >>for those embarrassing 'oops' moments, `kill -9 $$` works nicely. Try it >>and see. >> >>Daemonized Networking Services has produced a standalone server >>configuration that uses a modified script(1) and .login to collect >>keystroke logs; the target users are consultants, or companies, whom >>administer highly secure networking equipment via serial links or >>command-line interfaces, and whose own business files, or customers - >>banks, say, or government agencies - require logs of what they did - for >>purposes of auditing, disaster recovery, and liability-related issues. >> >>This method captures every keystroke - including typos before hitting >>RETURN - and cannot be sabotaged. As an added advantage, the logs can be >>immediately, or subsequently, forwarded via electronic mail, so that >>they are replicated in multiple places. >> >> > >I hope you've taken into consideration the fact that script(1) by >default does not make any modifications to stdio's standard input/output >buffering. Thus, the script files it creates are fully-buffered by >default, which for normal files means that they are only actually >written to when the buffer fills up, and the buffer is usually 1K to 8K >in size (although I've seen systems with a BUFSIZ of 32K). This means >that if anyone kills the script(1) process before the output has reached >1K (or 4K, or whatever) in size, *no* output will be logged, and even if >the script process is killed afterwards, some of the output will be >lost. Consider: > >[roam@straylight ~]> echo $$ >5781 >[roam@straylight ~]> script outfile >Script started, output file is outfile >Starting interactive C shell >[roam@straylight ~]> echo $$ >5914 >[roam@straylight ~]> ps -o ppid -p $$ > PPID > 5913 >[roam@straylight ~]> kill -HUP 5913Hangup > [roam@straylight ~]> echo $$ >5781 >[roam@straylight ~]> cat outfile >Script started on Thu Jan 8 09:20:17 2004 >[roam@straylight ~]> > >The -t option is of some help, although -t 0 could be implemented a bit >more efficiently with the attached patch. > >G'luck, >Peter > > > -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 https://www.daemonized.com From owner-freebsd-security@FreeBSD.ORG Thu Jan 8 08:07:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C119516A4CE for ; Thu, 8 Jan 2004 08:07:19 -0800 (PST) Received: from web60809.mail.yahoo.com (web60809.mail.yahoo.com [216.155.196.72]) by mx1.FreeBSD.org (Postfix) with SMTP id 0285343D1F for ; Thu, 8 Jan 2004 08:07:19 -0800 (PST) (envelope-from richard_bejtlich@yahoo.com) Message-ID: <20040108160716.55293.qmail@web60809.mail.yahoo.com> Received: from [68.84.6.72] by web60809.mail.yahoo.com via HTTP; Thu, 08 Jan 2004 08:07:16 PST Date: Thu, 8 Jan 2004 08:07:16 -0800 (PST) From: Richard Bejtlich To: freebsd-security@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Logging user activities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 16:07:19 -0000 Thanks to everyone who replied. I've got plenty of leads to follow. My interest is in watching NOC worker actions, not implementing a honeypot. The deterrence effect of knowing certain sensitive activities are logged is of great help. Sincerely, Richard Bejtlich http://www.taosecurity.com PS: kg6hac de kd5pcd __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus From owner-freebsd-security@FreeBSD.ORG Thu Jan 8 12:37:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 888F216A4D0 for ; Thu, 8 Jan 2004 12:37:24 -0800 (PST) Received: from mx01.bos.ma.towardex.com (a65-124-16-8.svc.towardex.com [65.124.16.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14CD543D1D for ; Thu, 8 Jan 2004 12:37:18 -0800 (PST) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 4027A2F8FA; Thu, 8 Jan 2004 15:37:28 -0500 (EST) Date: Thu, 8 Jan 2004 15:37:28 -0500 From: haesu@towardex.com To: freebsd-security@freebsd.org Message-ID: <20040108203728.GA84999@scylla.towardex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: Windows 2000 <-> FreeBSD IPsec problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 20:37:24 -0000 Hi, I am trying to setup an IPSEC transport between a Windows 2000 box and a FreeBSD server for a customer... Both systems are on live public IP's and packets are not filtered by any intermediate systems or firewalls/routers in between. I have the following setup: Windows 2000 box: 1.1.1.2 FreeBSD Server: 2.2.2.3 (The actual IP's have been changed to above to protect the innocent..) I have racoon setup on the FreeBSD server with following configuration[1] And I have Windows configured correctly (verified many times after Googling and looking at various howto docs...) as well. I will provide more info about how its setup on Windows if anyone wants specific detail. But basically its set using the howto from http://asherah.dyndns.org/~josh/ipsec-howto.txt But when I try to have Windows box ping 2.2.2.3 (going over ipsec that is), I get the following error in the freebsd server running racoon[2]. If anyone can assist with this, I would really appreciate it. I've been scratching my head for a day trying to figure out what's going on.. Thanks! -J !<-------- [1] Racoon Configuration below ---------> path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { isakmp 1.1.1.2 [500]; } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 15 sec; phase2 30 sec; } remote anonymous { #exchange_mode aggressive,main; doi ipsec_doi; exchange_mode main,aggressive; nonce_size 32; situation identity_only; lifetime time 1 min; # sec,min,hour initial_contact on; support_mip6 on; passive on; proposal_check claim; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 36000 sec; encryption_algorithm 3des,des,cast128,blowfish ; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate ; } !<--- End of [1]---> !<-------- [2] Racoon Debug/Error msgs below ---------> # racoon -v -F -f /usr/local/etc/racoon/racoon.conf Foreground mode. 2004-01-08 15:26:03: INFO: main.c:172:main(): @(#)package version freebsd-20030826a 2004-01-08 15:26:03: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net 2004-01-08 15:26:03: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7c 30 Sep 2003 (http://www.openssl.org/) 2004-01-08 15:26:03: WARNING: cftoken.l:514:yywarn(): racoon.conf:49: "support_mip6" it is obsoleted. use "support_proxy". 2004-01-08 15:26:03: INFO: isakmp.c:1358:isakmp_open(): 1.1.1.2[500] used as isakmp port (fd=5) 2004-01-08 15:26:17: INFO: isakmp.c:894:isakmp_ph1begin_r(): respond new phase 1 negotiation: 1.1.1.2[500]<=>2.2.2.3[500] 2004-01-08 15:26:17: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin Identity Protection mode. 2004-01-08 15:26:17: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: MS NT5 ISAKMPOAKLEY 2004-01-08 15:26:17: ERROR: ipsec_doi.c:1318:get_transform(): Only a single transform payload is allowed during phase 1 processing. 2004-01-08 15:26:18: NOTIFY: isakmp.c:255:isakmp_handler(): the packet is retransmitted by 2.2.2.3[500]. 2004-01-08 15:26:20: NOTIFY: isakmp.c:255:isakmp_handler(): the packet is retransmitted by 2.2.2.3[500]. 2004-01-08 15:26:24: NOTIFY: isakmp.c:255:isakmp_handler(): the packet is retransmitted by 2.2.2.3[500]. From owner-freebsd-security@FreeBSD.ORG Thu Jan 8 12:47:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9366516A4CE for ; Thu, 8 Jan 2004 12:47:52 -0800 (PST) Received: from gigatrex.com (saraswati.gigatrex.com [64.5.48.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 09D1543D5E for ; Thu, 8 Jan 2004 12:47:51 -0800 (PST) (envelope-from piechota@argolis.org) Received: (qmail 21900 invoked from network); 8 Jan 2004 20:47:38 -0000 Received: from unknown (HELO cithaeron.argolis.org) (141.156.46.123) by saraswati.gigatrex.com with SMTP; 8 Jan 2004 20:47:38 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) i08KlkSL085776; Thu, 8 Jan 2004 15:47:46 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)i08Klk2T085773; Thu, 8 Jan 2004 15:47:46 -0500 (EST) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Thu, 8 Jan 2004 15:47:45 -0500 (EST) From: Matt Piechota To: haesu@towardex.com In-Reply-To: <20040108203728.GA84999@scylla.towardex.com> Message-ID: <20040108154701.S64886@cithaeron.argolis.org> References: <20040108203728.GA84999@scylla.towardex.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Windows 2000 <-> FreeBSD IPsec problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 20:47:52 -0000 On Thu, 8 Jan 2004 haesu@towardex.com wrote: > I am trying to setup an IPSEC transport between a Windows 2000 box > and a FreeBSD server for a customer... Both systems are on live > public IP's and packets are not filtered by any intermediate systems > or firewalls/routers in between. This might help: http://www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO.html It doesn't look like exactly what you need though. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Fri Jan 9 06:06:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B722D16A4CE for ; Fri, 9 Jan 2004 06:06:39 -0800 (PST) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 306B743D3F for ; Fri, 9 Jan 2004 06:06:36 -0800 (PST) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id A0D153ABB55; Fri, 9 Jan 2004 15:06:57 +0100 (CET) Date: Fri, 9 Jan 2004 15:06:57 +0100 From: Pawel Jakub Dawidek To: Richard Bejtlich Message-ID: <20040109140656.GK9171@garage.freebsd.pl> References: <20040106210430.28516.qmail@web60806.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="SEFvVLxbW/dEDtN8" Content-Disposition: inline In-Reply-To: <20040106210430.28516.qmail@web60806.mail.yahoo.com> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE-p13 i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org Subject: Re: Logging user activities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 14:06:39 -0000 --SEFvVLxbW/dEDtN8 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 06, 2004 at 01:04:30PM -0800, Richard Bejtlich wrote: +> They include using 'chflags sappnd .bash_history', +> enabling process accounting, and the like. =20 +>=20 +> My goal is to "watch the watchers," i.e. watch for +> abuse of power by SOC people with the ability to view +> traffic captured by sniffers. Just forget about those methods. The only right way for such things is to monitor execve(2) syscall on kernel level. Look at: http://garage.freebsd.pl/lrexec.README http://garage.freebsd.pl/lrexec.tbz --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --SEFvVLxbW/dEDtN8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBP/61gD/PhmMH/Mf1AQGkSwP9GIx7poVHKzzOCwE1J8+QccKxmrv21Dpf 7aze3CWvE+9IA368Lj4ZCfVAzii9fwcBgnoJ+3DEZqeZNs9qom2MkS2+P3zaP9da s9KbEmRYok2YL7bBIDzGUqCRbEFK4AtIMVc8vcuV0MTCy52ryzPFR5nCs513EJVT FFYQ+AWbbB8= =n5yg -----END PGP SIGNATURE----- --SEFvVLxbW/dEDtN8-- From owner-freebsd-security@FreeBSD.ORG Fri Jan 9 06:30:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A982616A50E for ; Fri, 9 Jan 2004 06:30:31 -0800 (PST) Received: from ns.tern.ru (mail.tern.ru [195.210.170.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F9A943D31 for ; Fri, 9 Jan 2004 06:30:22 -0800 (PST) (envelope-from tech@tern.ru) Received: from mail.tern.ru (mail.tern.ru [192.168.1.140]) by ns.tern.ru (X/X) with ESMTP id i09ES0Yj043372 for ; Fri, 9 Jan 2004 17:28:00 +0300 X-Spam-Filter: check_local@ns.tern.ru by digitalanswers.org Received: from mail.tern.ru (localhost.tern.ru [127.0.0.1]) by mail.tern.ru (X/X) with ESMTP id i09EX609086461 for ; Fri, 9 Jan 2004 17:33:06 +0300 (MSK) Received: (from root@localhost) by mail.tern.ru (X/X) id i09EX6aq086460 for freebsd-security@freebsd.org.VIRCHECK; Fri, 9 Jan 2004 17:33:06 +0300 (MSK) Received: from snork.tern.ru (snork.tern.ru [192.168.1.133]) by mail.tern.ru (X/X) with ESMTP id i09EX509086452 for ; Fri, 9 Jan 2004 17:33:05 +0300 (MSK) Resent-Date: Fri, 9 Jan 2004 17:33:05 +0300 (MSK) Resent-Message-Id: <200401091433.i09EX509086452@mail.tern.ru> Date: Fri, 9 Jan 2004 17:32:20 +0300 From: freebsd@tern.ru Organization: Tern X-Priority: 3 (Normal) Message-ID: <1775511953.20040109173220@tern.ru> To: freebsd-security@freebsd.org Resent-From: Alexandre Krasnov MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: 8bit Subject: Problem with DNS (UDP) queries X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Alexandre Krasnov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 14:30:31 -0000 Hi all I am trying to get rid of strings: kernel: Connection attempt to UDP FREEBSD_IP:port from DNSSERVER_IP:53 on my console and in log file I understand that those are replies on DNS queries that for some reason took too long time to be answered. I do not want to turn off the "log in vain" feature. As these strings fill up my log I am afraid to miss some sensitive messages (e.g. hacker's attack :) I'm using FreeBSD 5.1 with ipfw2 that allows via static rules both DNS queries and DNS replies. The main application that generates queries is sendmail. What can be done? I've found a lot of similar questions at google but there was no a single answer. I'd be happy, for example, to increase the FreeBSD resolver timeout but I do not want to change any source code. Thank you for your attention. Alex -- С уважением, Александр Краснов Руководитель отдела технической поддержки Компании Терн Тел.: +7 (095) 235-0920/0954/0851, 234-9885 Факс: +7 (095) 235-3381 www.tern.ru From owner-freebsd-security@FreeBSD.ORG Fri Jan 9 06:50:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B658316A4CE for ; Fri, 9 Jan 2004 06:50:01 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B92043D41 for ; Fri, 9 Jan 2004 06:50:00 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.24; FreeBSD) id 1AexxU-000N2u-It; Fri, 09 Jan 2004 14:49:56 +0000 Date: Fri, 9 Jan 2004 14:49:56 +0000 From: Jez Hancock To: Alexandre Krasnov Message-ID: <20040109144956.GB87284@users.munk.nu> Mail-Followup-To: Alexandre Krasnov , freebsd-security@freebsd.org References: <1775511953.20040109173220@tern.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1775511953.20040109173220@tern.ru> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Problem with DNS (UDP) queries X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 14:50:01 -0000 On Fri, Jan 09, 2004 at 05:32:20PM +0300, freebsd@tern.ru wrote: > Hi all > > I am trying to get rid of strings: > kernel: Connection attempt to UDP FREEBSD_IP:port from DNSSERVER_IP:53 > on my console and in log file > > I understand that those are replies on DNS queries that for some reason > took too long time to be answered. > I do not want to turn off the "log in vain" feature. > > As these strings fill up my log I am afraid to miss some sensitive > messages (e.g. hacker's attack :) > > I'm using FreeBSD 5.1 with ipfw2 that allows via static rules both > DNS queries and DNS replies. > > The main application that generates queries is sendmail. > > What can be done? I believe those messages are generated if the following sysctl flag is set: net.inet.udp.log_in_vain you can disable it by executing: sysctl net.inet.udp.log_in_vain=0 on the commandline. Obviously though this will disable logging of all vain connection attempts using the udp protocol. However if you have ipfw set up to log such attempts, you don't really need that sysctl flag set anyway. See also the tcp equivalant flag: net.inet.tcp.log_in_vain also see the manpage for rc.conf(5) regarding the log_in_vain rc.conf setting. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - personal weblog http://ipfwstats.sf.net/ - ipfw peruser traffic logging From owner-freebsd-security@FreeBSD.ORG Fri Jan 9 07:11:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DDAE16A4CE for ; Fri, 9 Jan 2004 07:11:31 -0800 (PST) Received: from ns.tern.ru (mail.tern.ru [195.210.170.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5D4743D46 for ; Fri, 9 Jan 2004 07:11:28 -0800 (PST) (envelope-from freebsd@tern.ru) Received: from mail.tern.ru (mail.tern.ru [192.168.1.140]) by ns.tern.ru (X/X) with ESMTP id i09F95Yj004728 for ; Fri, 9 Jan 2004 18:09:06 +0300 X-Spam-Filter: check_local@ns.tern.ru by digitalanswers.org Received: from mail.tern.ru (localhost.tern.ru [127.0.0.1]) by mail.tern.ru (X/X) with ESMTP id i09FEB09086819 for ; Fri, 9 Jan 2004 18:14:11 +0300 (MSK) Received: (from root@localhost) by mail.tern.ru (X/X) id i09FEBix086818 for freebsd-security@freebsd.org.VIRCHECK; Fri, 9 Jan 2004 18:14:11 +0300 (MSK) Received: from snork.tern.ru (snork.tern.ru [192.168.1.133]) by mail.tern.ru (X/X) with ESMTP id i09FEA09086810; Fri, 9 Jan 2004 18:14:10 +0300 (MSK) Date: Fri, 9 Jan 2004 18:13:25 +0300 From: freebsd@tern.ru Organization: Tern X-Priority: 3 (Normal) Message-ID: <1839710842.20040109181325@tern.ru> To: Jez Hancock In-Reply-To: <20040109144956.GB87284@users.munk.nu> References: <1775511953.20040109173220@tern.ru> <20040109144956.GB87284@users.munk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re[2]: Problem with DNS (UDP) queries X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Alexandre Krasnov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 15:11:31 -0000 Yes, I had thought about what you wrote. Because of this I mentioned that 'I do not want to turn off the "log in vain" feature.' To be honest I'd like to fix the reason of the problem not just its look. I need to make resolver wait for the reply (any including negative). As I understand resolver functionality is inbuilt into the libraries including all timeout constants. But I hope that this can be changed/tuned somehow using sysctl or maybe some other variables. If this can be fixed in CVS it would be a great solution. But changing the source on my local system and check the changes again every time I download something from CVS is not suitable solution. Anyway, thank you for your reply. JH> On Fri, Jan 09, 2004 at 05:32:20PM +0300, freebsd@tern.ru wrote: >> Hi all >> >> I am trying to get rid of strings: >> kernel: Connection attempt to UDP FREEBSD_IP:port from DNSSERVER_IP:53 >> on my console and in log file >> >> I understand that those are replies on DNS queries that for some reason >> took too long time to be answered. >> I do not want to turn off the "log in vain" feature. >> >> As these strings fill up my log I am afraid to miss some sensitive >> messages (e.g. hacker's attack :) >> >> I'm using FreeBSD 5.1 with ipfw2 that allows via static rules both >> DNS queries and DNS replies. >> >> The main application that generates queries is sendmail. >> >> What can be done? JH> I believe those messages are generated if the following sysctl flag is JH> set: JH> net.inet.udp.log_in_vain JH> you can disable it by executing: JH> sysctl net.inet.udp.log_in_vain=0 JH> on the commandline. JH> Obviously though this will disable logging of all vain connection attempts using JH> the udp protocol. However if you have ipfw set up to log such attempts, JH> you don't really need that sysctl flag set anyway. JH> See also the tcp equivalant flag: JH> net.inet.tcp.log_in_vain JH> also see the manpage for rc.conf(5) regarding the log_in_vain rc.conf JH> setting. Alex. From owner-freebsd-security@FreeBSD.ORG Fri Jan 9 09:13:22 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3518F16A4CE for ; Fri, 9 Jan 2004 09:13:22 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6126D43D4C for ; Fri, 9 Jan 2004 09:13:18 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 8A62E5482B for ; Fri, 9 Jan 2004 11:13:17 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 269056D45F; Fri, 9 Jan 2004 11:13:17 -0600 (CST) Date: Fri, 9 Jan 2004 11:13:17 -0600 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20040109171317.GA67421@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i-ja.1 Subject: Security Officer-supported branches update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 17:13:22 -0000 Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect recent EoL (end-of-life) events. The new list is below (and should appear at soon). FreeBSD 4.7 has `expired', but I have extended the EoL date for FreeBSD 5.1. If you are running FreeBSD 4.7 or older and you wish to be certain to get critical bug fixes, it is recommended that you upgrade to one of the newer security branches. [Excerpt from http://www.freebsd.org/security/] FreeBSD Security Advisories The FreeBSD Security Officer provides security advisories for several branches of FreeBSD development. These are the -STABLE Branches and the Security Branches. (Advisories are not issued for the -CURRENT Branch.) * There is usually only a single -STABLE branch, although during the transition from one major development line to another (such as from FreeBSD 4.x to 5.x), there is a time span in which there are two -STABLE branches. The -STABLE branch tags have names like RELENG_4. The corresponding builds have names like FreeBSD 4.6-STABLE. * Each FreeBSD Release has an associated Security Branch. The Security Branch tags have names like RELENG_4_6. The corresponding builds have names like FreeBSD 4.6-RELEASE-p7. Each branch is supported by the Security Officer for a limited time only, typically through 12 months after the release. The estimated lifetimes of the currently supported branches are given below. The Estimated EoL (end-of-life) column gives the earliest date on which that branch is likely to be dropped. Please note that these dates may be extended into the future, but only extenuating circumstances would lead to a branch's support being dropped earlier than the date listed. +----------------------------------------+ | Branch | Release | Estimated EoL | |----------+-----------+-----------------| |RELENG_4 |n/a |October 31, 2004 | |----------+-----------+-----------------| |RELENG_4_8|4.8-RELEASE|March 31, 2004 | |----------+-----------+-----------------| |RELENG_4_9|4.9-RELEASE|October 31, 2004 | |----------+-----------+-----------------| |RELENG_5_1|5.1-RELEASE|February 28, 2004| +----------------------------------------+ Older releases are not maintained and users are strongly encouraged to upgrade to one of the supported releases mentioned above. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se ----- Forwarded message from Jacques Vidrine ----- Date: Fri, 9 Jan 2004 09:10:53 -0800 (PST) From: Jacques Vidrine To: doc-committers@FreeBSD.org, cvs-doc@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: www/en/security security.sgml Message-Id: <200401091710.i09HAr2A015022@repoman.freebsd.org> nectar 2004/01/09 09:10:53 PST FreeBSD doc repository Modified files: en/security security.sgml Log: Security Officer-supported branches updated: FreeBSD 4.7 removed: it has passed the published EoL. FreeBSD 5.1 extended. Reminded by: Colin Percival Revision Changes Path 1.149 +3 -8 www/en/security/security.sgml ----- End forwarded message ----- From owner-freebsd-security@FreeBSD.ORG Fri Jan 9 13:53:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C945716A4CE for ; Fri, 9 Jan 2004 13:53:10 -0800 (PST) Received: from web60801.mail.yahoo.com (web60801.mail.yahoo.com [216.155.196.64]) by mx1.FreeBSD.org (Postfix) with SMTP id 01C1943D5E for ; Fri, 9 Jan 2004 13:52:58 -0800 (PST) (envelope-from richard_bejtlich@yahoo.com) Message-ID: <20040109215255.56710.qmail@web60801.mail.yahoo.com> Received: from [68.84.6.72] by web60801.mail.yahoo.com via HTTP; Fri, 09 Jan 2004 13:52:55 PST Date: Fri, 9 Jan 2004 13:52:55 -0800 (PST) From: Richard Bejtlich To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: ru@FreeBSD.org Subject: Re: interface bonding X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 21:53:10 -0000 Ruslan wisely encouraged me to post the end result of my interface bonding quest. Here's how I bring up interfaces sf2 and sf3 against a new ngeth0 interface. I sniff the ngeth0 interface to see both TX outputs from my NetOptics tap: kldload ng_ether ifconfig sf2 promisc -arp up ifconfig sf3 promisc -arp up ngctl -f - << EOF mkpeer eiface dummy ether name .:dummy bond0 EOF ngctl mkpeer bond0: one2many ether one ngctl connect sf2: bond0:ether lower many0 ngctl connect sf3: bond0:ether lower many1 ifconfig ngeth0 -arp up Thanks to everyone who provided input. Sincerely, Richard Bejtlich http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus From owner-freebsd-security@FreeBSD.ORG Fri Jan 9 15:08:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCD7D16A4CE for ; Fri, 9 Jan 2004 15:08:04 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 512BF43D1D for ; Fri, 9 Jan 2004 15:08:03 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.24; FreeBSD) id 1Af5jV-0000cZ-SM; Fri, 09 Jan 2004 23:08:01 +0000 Date: Fri, 9 Jan 2004 23:08:01 +0000 From: Jez Hancock To: Alexandre Krasnov Message-ID: <20040109230801.GE1488@users.munk.nu> Mail-Followup-To: Alexandre Krasnov , Jez Hancock , freebsd-security@freebsd.org References: <1775511953.20040109173220@tern.ru> <20040109144956.GB87284@users.munk.nu> <1839710842.20040109181325@tern.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1839710842.20040109181325@tern.ru> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Problem with DNS (UDP) queries X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 23:08:04 -0000 On Fri, Jan 09, 2004 at 06:13:25PM +0300, freebsd@tern.ru wrote: > Yes, I had thought about what you wrote. > Because of this I mentioned that 'I do not want to turn off the "log > in vain" feature.' In that case I imagine you'd need to hack the kernel source code to make it not log vain udp port 53 requests. I'm fairly sure it's an 'all or nothing' sysctl mib/flag. Why do you want to log those vain connection attempts using 'log_in_vain' though? It would be a lot more suitable to use the logging feature in ipfw2 and disable the log_in_vain feature completely. Just my opinion though :P > JH> On Fri, Jan 09, 2004 at 05:32:20PM +0300, freebsd@tern.ru wrote: > >> Hi all > >> > >> I am trying to get rid of strings: > >> kernel: Connection attempt to UDP FREEBSD_IP:port from DNSSERVER_IP:53 > >> on my console and in log file > >> > >> I understand that those are replies on DNS queries that for some reason > >> took too long time to be answered. > >> I do not want to turn off the "log in vain" feature. > >> > >> As these strings fill up my log I am afraid to miss some sensitive > >> messages (e.g. hacker's attack :) > >> > >> I'm using FreeBSD 5.1 with ipfw2 that allows via static rules both > >> DNS queries and DNS replies. > >> > >> The main application that generates queries is sendmail. > >> > >> What can be done? > JH> I believe those messages are generated if the following sysctl flag is > JH> set: > > JH> net.inet.udp.log_in_vain > > JH> you can disable it by executing: > > JH> sysctl net.inet.udp.log_in_vain=0 > > JH> on the commandline. > > JH> Obviously though this will disable logging of all vain connection attempts using > JH> the udp protocol. However if you have ipfw set up to log such attempts, > JH> you don't really need that sysctl flag set anyway. > > JH> See also the tcp equivalant flag: > > JH> net.inet.tcp.log_in_vain > > JH> also see the manpage for rc.conf(5) regarding the log_in_vain rc.conf > JH> setting. > > Alex. > > -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - personal weblog http://ipfwstats.sf.net/ - ipfw peruser traffic logging From owner-freebsd-security@FreeBSD.ORG Fri Jan 9 17:30:29 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31D9816A4CE for ; Fri, 9 Jan 2004 17:30:29 -0800 (PST) Received: from tx1.oucs.ox.ac.uk (tx1.oucs.ox.ac.uk [129.67.1.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id B6C5743D31 for ; Fri, 9 Jan 2004 17:30:24 -0800 (PST) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan1.oucs.ox.ac.uk ([129.67.1.166] helo=localhost) by tx1.oucs.ox.ac.uk with esmtp (Exim 4.20) id 1Af7xH-0006I1-J3 for freebsd-security@freebsd.org; Sat, 10 Jan 2004 01:30:23 +0000 Received: from rx1.oucs.ox.ac.uk ([129.67.1.165]) by localhost (scan1.oucs.ox.ac.uk [129.67.1.166]) (amavisd-new, port 25) with ESMTP id 24063-04 for ; Sat, 10 Jan 2004 01:30:23 +0000 (GMT) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx1.oucs.ox.ac.uk with smtp (Exim 4.20) id 1Af7xH-0006Hx-5b for freebsd-security@freebsd.org; Sat, 10 Jan 2004 01:30:23 +0000 Received: (qmail 2571 invoked by uid 0); 10 Jan 2004 01:30:23 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 6.580046 secs); 10 Jan 2004 01:30:23 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 6.580046 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 10 Jan 2004 01:30:16 -0000 Message-Id: <6.0.1.1.1.20040109153745.04131af0@imap.sfu.ca> X-Sender: cperciva@imap.sfu.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Sat, 10 Jan 2004 01:11:24 +0000 To: freebsd-security@freebsd.org, freebsd-current@freebsd.org From: Colin Percival Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Binary updates for FreeBSD 5.x X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jan 2004 01:30:29 -0000 I am now building binary security updates for FreeBSD 5.x, for use with FreeBSD Update. This has taken rather longer than I expected -- I thought I would be at this point in mid-November -- but porting the update-building code to run on FreeBSD 5.x took rather longer than I expected. For details about how to use these updates, please see the FreeBSD Update web site at http://www.daemonology.net/freebsd-update/ A couple notes are in order: First, I am not a FreeBSD committer, and FreeBSD Update is in no way endorsed by the FreeBSD Project or the Security Officer; this is something I'm providing on my own and you should only use these updates if you're willing to trust your systems' security to *me* personally. Second, FreeBSD Update merely tracks the security branches in the FreeBSD CVS repository; consequently, while I am building updates for FreeBSD 4.7, 4.8, 4.9, 5.0 and 5.1 (and will start building updates for FreeBSD 5.2 when it is released), the updates for FreeBSD 4.7 and 5.0 may not reflect all existing security issues, since support for those releases has officially ended. Thanks to all the donors who contributed to allow me to purchase the system I'm using to build these updates; in particular, bsdmall.com and the readership of slashdot.jp made large contributions. Colin Percival From owner-freebsd-security@FreeBSD.ORG Sat Jan 10 14:23:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 316CC16A4CE for ; Sat, 10 Jan 2004 14:23:06 -0800 (PST) Received: from host2u.net (host2u.net [161.58.237.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 596A943D58 for ; Sat, 10 Jan 2004 14:23:03 -0800 (PST) (envelope-from david@deassociates.com) Received: from winxp1700 (host-209-214-98-193.sav.bellsouth.net [209.214.98.193]) by host2u.net (8.12.10/8.12.6) with SMTP id i0AMMxVD031449 for ; Sat, 10 Jan 2004 17:23:00 -0500 (EST) Message-ID: <000701c3d7c8$697a4e40$6400a8c0@winxp1700> From: "David Edwards" To: Date: Sat, 10 Jan 2004 17:23:39 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Subject: Need some help on security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: David Edwards List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jan 2004 22:23:06 -0000 Hello all. I am new to the list and relitively new to FreeBSD. I currently have a server running 4.8 as a dedicated server with cPanel added as a way to speed up the creation of sites and such on the server. I host only a couple of site because I do this in my spare time and don't know enough to be a paid participant in the hosting community. Anyway, on to the question, lastnight, the server stopped responding after someone tried to gain access to what looks to be web based printing. I am not familiar with any firewall/IDS solutions and have looked over Snort and IPFW today. I don't want to do IPFW because I don't want to recompile a kernel that works and potentially lose everything I have done so far. Here is a bit of the apache error_log which shows the issue i am refering to: [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not exist: /usr/home/dbcenter/public_html/NULL.printer [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/NULL.printer [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/404.shtml [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/NULL.printer [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/404.shtml [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/home/seekers/public_html/NULL.printer [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/NULL.printer [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/home/seekers/public_html/404.shtml [Sat Jan 10 01:34:05 2004] [error] [client 211.233.89.189] File does not exist: /usr/local/apache/htdocs/404.shtml I also have a few entries where they are trying to get to a command prompt and trying to do some sort of weirdness with IIS: [Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not exist: /usr/local/apache/htdocs/scripts/nsiislog.dll [Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not exist: /usr/local/apache/htdocs/404.shtml [Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not exist: /usr/local/apache/htdocs/scripts/nsiislog.dll [Fri Jan 9 22:18:31 2004] [error] [client 67.167.253.191] File does not exist: /usr/local/apache/htdocs/404.shtml [Thu Jan 8 07:00:07 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/root.exe [Thu Jan 8 07:00:07 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:11 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/MSADC/root.exe [Thu Jan 8 07:00:11 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:15 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/c/winnt/system32/cmd.exe [Thu Jan 8 07:00:15 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:19 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/d/winnt/system32/cmd.exe [Thu Jan 8 07:00:19 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:23 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..%5c../winnt/system32/cmd.exe [Thu Jan 8 07:00:23 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:28 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/_vti_bin/..%5c../..%5c../..%5c../winnt/system 32/cmd.exe [Thu Jan 8 07:00:28 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:31 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/_mem_bin/..%5c../..%5c../..%5c../winnt/system 32/cmd.exe [Thu Jan 8 07:00:31 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:36 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/msadc/..%5c../..%5c../..%5c/..Б../..Б../..Б ../winnt/system32/cmd.exe [Thu Jan 8 07:00:36 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:40 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..Б../winnt/system32/cmd.exe [Thu Jan 8 07:00:40 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:44 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:48 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..АЇ../winnt/system32/cmd.exe [Thu Jan 8 07:00:48 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:53 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..Бo../winnt/system32/cmd.exe [Thu Jan 8 07:00:53 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:00:57 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/400.shtml [Thu Jan 8 07:01:01 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/400.shtml [Thu Jan 8 07:01:05 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..%5c../winnt/system32/cmd.exe [Thu Jan 8 07:01:05 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml [Thu Jan 8 07:01:10 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/scripts/..%2f../winnt/system32/cmd.exe [Thu Jan 8 07:01:10 2004] [error] [client 69.140.105.5] File does not exist: /usr/home/dbcenter/public_html/404.shtml Can anyone offer me a bif of advice on how to block such IP addresses within FreeBSD and some sort of firewall type setup that is fairly easy and quick to setup as well as create new filtering rules for? Thanks in advance for any help in this matter. Also, all the missing errors like the 404, 400 and such are now cleared up. Created the pages for the errors. David Edwards david@deassociates.com --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.551 / Virus Database: 343 - Release Date: 12/11/2003 From owner-freebsd-security@FreeBSD.ORG Sat Jan 10 14:47:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B012B16A4CE for ; Sat, 10 Jan 2004 14:47:50 -0800 (PST) Received: from relay1.ntu-kpi.kiev.ua (oberon.ntu-kpi.kiev.ua [195.245.194.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8EF243D55 for ; Sat, 10 Jan 2004 14:47:46 -0800 (PST) (envelope-from taren@el.ntu-kpi.kiev.ua) Received: from doppelganger.el.ntu-kpi.kiev.ua (doppelganger.el.ntu-kpi.kiev.ua [10.0.1.23]) by relay1.ntu-kpi.kiev.ua (Postfix) with ESMTP id 5D24A17B826; Sun, 11 Jan 2004 00:47:44 +0200 (EET) Received: by doppelganger.el.ntu-kpi.kiev.ua (Postfix, from userid 1001) id 7D1061BAF9; Sun, 11 Jan 2004 00:47:27 +0200 (EET) Received: from localhost (localhost [127.0.0.1]) by doppelganger.el.ntu-kpi.kiev.ua (Postfix) with ESMTP id 593E91BAF8; Sun, 11 Jan 2004 00:47:27 +0200 (EET) Date: Sun, 11 Jan 2004 00:47:27 +0200 (EET) From: "Taras Y. NIZHNIK" To: David Edwards In-Reply-To: <000701c3d7c8$697a4e40$6400a8c0@winxp1700> Message-ID: <20040111004328.A50107-100000@doppelganger.el.ntu-kpi.kiev.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Need some help on security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jan 2004 22:47:50 -0000 On Sat, 10 Jan 2004, David Edwards wrote: > Anyway, on to the question, lastnight, the server stopped responding after > someone tried to gain access to what looks to be web based printing. I am > not familiar with any firewall/IDS solutions and have looked over Snort and > IPFW today. I don't want to do IPFW because I don't want to recompile a > kernel that works and potentially lose everything I have done so far. How about to use ipfw.ko? -- Best regards, Taras Y. NIZHNIK, AKA Taren, XN7211-XTF, TYN-UANIC, TYN1-RIPE From owner-freebsd-security@FreeBSD.ORG Sat Jan 10 16:01:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74BF216A4CE for ; Sat, 10 Jan 2004 16:01:52 -0800 (PST) Received: from my.ipfw.dk (cpe.atm4-0-53237.0x3ef3a826.bynxx8.customer.tele.dk [62.243.168.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BC5D43D49 for ; Sat, 10 Jan 2004 16:01:51 -0800 (PST) (envelope-from freebsd-security@ust.dk) Received: from logibussen (logibussen.ipfw.dk [192.168.1.5]) by my.ipfw.dk (Postfix) with SMTP id 5D7A560F5 for ; Sun, 11 Jan 2004 01:01:50 +0100 (CET) From: "Laust S. Jespersen" To: Date: Sun, 11 Jan 2004 01:01:56 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20040111004328.A50107-100000@doppelganger.el.ntu-kpi.kiev.ua> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: RE: Need some help on security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jan 2004 00:01:52 -0000 Hi David, > How about to use ipfw.ko? What Taras is suggesting here, is for you to use the loadable kernel module version of ipfw. For more information on loadable kernel modules see "man kldload" Something along the lines of: "kldload ipfw && ipfw add 65334 allow ip from any to any" The last part (ipfw and so on) should let you be able to keep your connection to the server if you're not on via a local console. Also "man ipfw" is a fantastic manpage. With regards the attacks on your webserver, there is the option of firewalling it out (ie. ipfw add 10000 deny ip from x.x.x.x to me) or using apache's built-in access.conf mechanism. You could do something in your access.conf along the lines of: Order Allow,Deny Allow from all Deny from 211.233.89.189 Personally I'd go with the firewalling, although sometimes it is not practical if the websites in question are not your own. Lastly, just to ease your mind, all the attacks in your original mail are IIS attacks and as such should not work on your webserver :) To illustrate from my own logfiles :) me@my:/var/log>grep '[root|cmd].exe' httpd-error.log|wc -l 27938 Hope this helps. Med venlig hilsen / Best Regards Laust Jespersen http://www.ust.dk ====================================================================== Viking Rule of Acquisition 1: Remember where you beached the long ship From owner-freebsd-security@FreeBSD.ORG Sat Jan 10 18:49:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20C7E16A4CE for ; Sat, 10 Jan 2004 18:49:23 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4335D43D45 for ; Sat, 10 Jan 2004 18:49:20 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i0B2llUd004130; Sat, 10 Jan 2004 21:47:47 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i0B2llgE004127; Sat, 10 Jan 2004 21:47:47 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sat, 10 Jan 2004 21:47:47 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: David Edwards In-Reply-To: <000701c3d7c8$697a4e40$6400a8c0@winxp1700> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Need some help on security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jan 2004 02:49:24 -0000 On Sat, 10 Jan 2004, David Edwards wrote: > Anyway, on to the question, lastnight, the server stopped responding > after someone tried to gain access to what looks to be web based > printing. I am not familiar with any firewall/IDS solutions and have > looked over Snort and IPFW today. I don't want to do IPFW because I > don't want to recompile a kernel that works and potentially lose > everything I have done so far. Here is a bit of the apache error_log > which shows the issue i am refering to: > > [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not > exist: /usr/home/dbcenter/public_html/NULL.printer > [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not > exist: /usr/local/apache/htdocs/NULL.printer Well, these log entries are for attempted exploits of Microsoft's IIS, and shouldn't be a problem. The error messages can safely be ignored. However, the "server stopped responding" bit doesn't sound good. Was the web server still running (i.e., Apache processes still present)? What does "ps -alx" show? Were there any console messages regarding apache stopping, or any error messages in the Apache log about it exiting or changing states, as opposed to just file not found errors? Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research