From owner-freebsd-security@FreeBSD.ORG Sun Jan 11 07:11:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E357B16A4CE for ; Sun, 11 Jan 2004 07:11:36 -0800 (PST) Received: from amsfep20-int.chello.nl (amsfep12-int.chello.nl [213.46.243.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20E7D43D58 for ; Sun, 11 Jan 2004 07:11:33 -0800 (PST) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.143.85]) by amsfep20-int.chello.nl (InterMail vM.6.00.05.02 201-2115-109-103-20031105) with ESMTP id <20040111151131.WYUF3782.amsfep20-int.chello.nl@sitetronics.com> for ; Sun, 11 Jan 2004 16:11:31 +0100 Message-ID: <40016769.3030202@sitetronics.com> Date: Sun, 11 Jan 2004 16:10:33 +0100 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: BSD-licensed IDS/IDP Software? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jan 2004 15:11:37 -0000 I seem to remember seeing somewhere (on this list/on the web -- don't remember) that there was some ``Snort-like'' software that was available under the BSD license. Unfortunately, I'm unable to find any information about such software. Was I dreaming, or can anybody else jog my memory? :) Kind regards, Devon H. O'Dell From owner-freebsd-security@FreeBSD.ORG Sun Jan 11 07:22:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D861B16A4CE for ; Sun, 11 Jan 2004 07:22:43 -0800 (PST) Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [62.67.200.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2F7143D2F for ; Sun, 11 Jan 2004 07:22:41 -0800 (PST) (envelope-from oskar@mail.solls.net) Received: (qmail 1849 invoked from network); 11 Jan 2004 15:22:39 -0000 Received: from unknown (HELO mailout.chuck.ath.cx) (011921@[80.131.30.250]) (envelope-sender )AES256-SHA encrypted SMTP for ; 11 Jan 2004 15:22:39 -0000 Received: (qmail 81472 invoked from network); 11 Jan 2004 15:22:37 -0000 Received: from unknown (HELO chuck.ath.cx) (10.0.0.102) by mail.solls.net with SMTP; 11 Jan 2004 15:22:37 -0000 Received: (qmail 81469 invoked from network); 11 Jan 2004 15:22:36 -0000 Received: from unknown (HELO localhost) ([10.0.0.102]) (envelope-sender ) by chuck.ath.cx (qmail-ldap-1.03) with SMTP for ; 11 Jan 2004 15:22:36 -0000 Received: from note.solls.net (note.solls.net [10.0.0.21]) by chuck.ath.cx (Horde) with HTTP for ; Sun, 11 Jan 2004 16:22:35 +0100 Message-ID: <1073834555.742c154b803ae@chuck.ath.cx> Date: Sun, 11 Jan 2004 16:22:35 +0100 From: Oskar Eyb To: freebsd-security@freebsd.org References: <40016769.3030202@sitetronics.com> In-Reply-To: <40016769.3030202@sitetronics.com> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) 4.0-cvs Subject: Re: BSD-licensed IDS/IDP Software? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jan 2004 15:22:44 -0000 Quoting "Devon H. O'Dell" : > I seem to remember seeing somewhere (on this list/on the web -- don't > remember) that there was some ``Snort-like'' software that was available > under the BSD license. SHADOW? http://www.nswc.navy.mil/ISSEC/CID/index.html But I don=B4t know what typ of License it use. HTH, -- Oskar From owner-freebsd-security@FreeBSD.ORG Sun Jan 11 09:02:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F028816A4CE for ; Sun, 11 Jan 2004 09:02:35 -0800 (PST) Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C39D143D2F for ; Sun, 11 Jan 2004 09:02:34 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by conn.mc.mpls.visi.com (Postfix) with ESMTP id CCC4B8512; Sun, 11 Jan 2004 11:02:33 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id i0BH2XE47279; Sun, 11 Jan 2004 11:02:33 -0600 (CST) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Sun, 11 Jan 2004 11:02:33 -0600 From: D J Hawkey Jr To: Oskar Eyb Message-ID: <20040111170233.GA47267@sheol.localdomain> References: <40016769.3030202@sitetronics.com> <1073834555.742c154b803ae@chuck.ath.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1073834555.742c154b803ae@chuck.ath.cx> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: BSD-licensed IDS/IDP Software? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jan 2004 17:02:36 -0000 What's going on here? I've received this message, like, 6 or 8 times now. Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ On Jan 11, at 04:22 PM, Oskar Eyb wrote: > > Quoting "Devon H. O'Dell" : > > > I seem to remember seeing somewhere (on this list/on the web -- don't > > remember) that there was some ``Snort-like'' software that was available > > under the BSD license. > > SHADOW? > > http://www.nswc.navy.mil/ISSEC/CID/index.html > > But I donīt know what typ of License it use. > > > HTH, > -- > Oskar > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sun Jan 11 10:50:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B60E16A4CE for ; Sun, 11 Jan 2004 10:50:34 -0800 (PST) Received: from amsfep19-int.chello.nl (amsfep19-int.chello.nl [213.46.243.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6E8643D1F for ; Sun, 11 Jan 2004 10:50:32 -0800 (PST) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.143.85]) by amsfep19-int.chello.nl (InterMail vM.6.00.05.02 201-2115-109-103-20031105) with ESMTP id <20040111185031.PKEZ9184.amsfep19-int.chello.nl@sitetronics.com>; Sun, 11 Jan 2004 19:50:31 +0100 Message-ID: <40019AB9.704@sitetronics.com> Date: Sun, 11 Jan 2004 19:49:29 +0100 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: hawkeyd@visi.com References: <40016769.3030202@sitetronics.com> <1073834555.742c154b803ae@chuck.ath.cx> <20040111170233.GA47267@sheol.localdomain> In-Reply-To: <20040111170233.GA47267@sheol.localdomain> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org cc: Oskar Eyb Subject: Re: BSD-licensed IDS/IDP Software? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jan 2004 18:50:34 -0000 D J Hawkey Jr wrote: > What's going on here? I've received this message, like, 6 or 8 times now. > > Dave > I would guess that this is a problem with your subscription or something; I've received each message once. --Devon From owner-freebsd-security@FreeBSD.ORG Sun Jan 11 10:55:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CE6B16A4CE for ; Sun, 11 Jan 2004 10:55:12 -0800 (PST) Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [62.67.200.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7BF643D55 for ; Sun, 11 Jan 2004 10:55:09 -0800 (PST) (envelope-from oskar@mail.solls.net) Received: (qmail 27728 invoked from network); 11 Jan 2004 18:55:08 -0000 Received: from unknown (HELO mailout.chuck.ath.cx) (011921@[217.81.128.117]) (envelope-sender )AES256-SHA encrypted SMTP for ; 11 Jan 2004 18:55:08 -0000 Received: (qmail 95067 invoked from network); 11 Jan 2004 18:55:06 -0000 Received: from unknown (HELO chuck.ath.cx) (10.0.0.102) by mail.solls.net with SMTP; 11 Jan 2004 18:55:06 -0000 Received: (qmail 95064 invoked from network); 11 Jan 2004 18:55:06 -0000 Received: from unknown (HELO localhost) ([10.0.0.102]) (envelope-sender ) by chuck.ath.cx (qmail-ldap-1.03) with SMTP for ; 11 Jan 2004 18:55:06 -0000 Received: from note.solls.net (note.solls.net [10.0.0.21]) by chuck.ath.cx (Horde) with HTTP for ; Sun, 11 Jan 2004 19:55:05 +0100 Message-ID: <1073847305.3f04559781734@chuck.ath.cx> Date: Sun, 11 Jan 2004 19:55:05 +0100 From: Oskar Eyb To: freebsd-security@freebsd.org References: <40016769.3030202@sitetronics.com> <1073834555.742c154b803ae@chuck.ath.cx><40019AB9.704@sitetronics.com> In-Reply-To: <40019AB9.704@sitetronics.com> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.0-cvs Subject: Re: BSD-licensed IDS/IDP Software? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jan 2004 18:55:12 -0000 Quoting "Devon H. O'Dell" : > D J Hawkey Jr wrote: > > What's going on here? I've received this message, like, 6 or 8 times > > now. > I would guess that this is a problem with your subscription or something; > I've received each message once. According to my mailserver logs the message left my system exactly one time. -- Oskar From owner-freebsd-security@FreeBSD.ORG Sun Jan 11 11:30:48 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 214AC16A4CE for ; Sun, 11 Jan 2004 11:30:48 -0800 (PST) Received: from 100m.mpr200-2.esr.lvcm.net (100m.mpr200-2.esr.lvcm.net [24.234.0.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 61F2043D4C for ; Sun, 11 Jan 2004 11:30:46 -0800 (PST) (envelope-from chris@redstarnetworks.net) Received: from [192.168.4.6] (ip68-108-123-40.lv.lv.cox.net [68.108.123.40]) by 100m.mpr200-2.esr.lvcm.net (Mirapoint Messaging Server MOS 2.9.3.5) with ESMTP id BIM83045; Sun, 11 Jan 2004 11:30:45 -0800 (PST) From: Chris Odell To: freebsd list In-Reply-To: <1073847305.3f04559781734@chuck.ath.cx> References: <40016769.3030202@sitetronics.com> <1073834555.742c154b803ae@chuck.ath.cx><40019AB9.704@sitetronics.com> <1073847305.3f04559781734@chuck.ath.cx> Content-Type: text/plain Organization: Red Star Networks, INC Message-Id: <1073848775.2538.28.camel@i8000notebook.priv.redstarnetworks.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2 (1.2.2-5) Date: 11 Jan 2004 11:19:35 -0800 Content-Transfer-Encoding: 7bit Subject: Re: BSD-licensed IDS/IDP Software? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: chris@redstarnetworks.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jan 2004 19:30:48 -0000 Maybe the email sorter is tired..... On Sun, 2004-01-11 at 10:55, Oskar Eyb wrote: > Quoting "Devon H. O'Dell" : > > > D J Hawkey Jr wrote: > > > What's going on here? I've received this message, like, 6 or 8 times > > > now. > > > I would guess that this is a problem with your subscription or something; > > I've received each message once. > > > According to my mailserver logs the message left my system exactly one time. > > > -- > Oskar > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- From owner-freebsd-security@FreeBSD.ORG Sun Jan 11 13:38:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9BE316A4CE for ; Sun, 11 Jan 2004 13:38:38 -0800 (PST) Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8AE243D3F for ; Sun, 11 Jan 2004 13:38:37 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by conn.mc.mpls.visi.com (Postfix) with ESMTP id E4AEB845B; Sun, 11 Jan 2004 15:38:36 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id i0BLcau00841; Sun, 11 Jan 2004 15:38:36 -0600 (CST) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Sun, 11 Jan 2004 15:38:36 -0600 From: D J Hawkey Jr To: Oskar Eyb Message-ID: <20040111213836.GA820@sheol.localdomain> References: <40016769.3030202@sitetronics.com> <1073847305.3f04559781734@chuck.ath.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1073847305.3f04559781734@chuck.ath.cx> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: BSD-licensed IDS/IDP Software? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jan 2004 21:38:38 -0000 On Jan 11, at 07:55 PM, Oskar Eyb wrote: > > Quoting "Devon H. O'Dell" : > > > > What's going on here? I've received this message, like, 6 or 8 times > > > now. > > > I would guess that this is a problem with your subscription or something; > > I've received each message once. > > According to my mailserver logs the message left my system exactly one time. Thanks guys. As it turns out, I had a fetchmail SNAFU here. Sorry to trouble y'all. Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Mon Jan 12 00:08:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10FF616A4CE for ; Mon, 12 Jan 2004 00:08:59 -0800 (PST) Received: from ns.tern.ru (mail.tern.ru [195.210.170.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C00243D41 for ; Mon, 12 Jan 2004 00:08:53 -0800 (PST) (envelope-from freebsd@tern.ru) Received: from mail.tern.ru (mail.tern.ru [192.168.1.140]) by ns.tern.ru (X/X) with ESMTP id i0C86IYj048534 for ; Mon, 12 Jan 2004 11:06:19 +0300 X-Spam-Filter: check_local@ns.tern.ru by digitalanswers.org Received: from mail.tern.ru (localhost.tern.ru [127.0.0.1]) by mail.tern.ru (X/X) with ESMTP id i0C8Bb09002822 for ; Mon, 12 Jan 2004 11:11:37 +0300 (MSK) Received: (from root@localhost) by mail.tern.ru (X/X) id i0C8BbZM002821 for freebsd-security@freebsd.org.VIRCHECK; Mon, 12 Jan 2004 11:11:37 +0300 (MSK) Received: from snork.tern.ru (snork.tern.ru [192.168.1.133]) by mail.tern.ru (X/X) with ESMTP id i0C8BY09002812; Mon, 12 Jan 2004 11:11:36 +0300 (MSK) Date: Mon, 12 Jan 2004 11:10:45 +0300 From: freebsd@tern.ru Organization: Tern X-Priority: 3 (Normal) Message-ID: <1399021926.20040112111045@tern.ru> To: Jez Hancock In-Reply-To: <20040109230801.GE1488@users.munk.nu> References: <1775511953.20040109173220@tern.ru> <20040109144956.GB87284@users.munk.nu> <1839710842.20040109181325@tern.ru> <20040109230801.GE1488@users.munk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re[2]: Problem with DNS (UDP) queries X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Alexandre Krasnov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2004 08:08:59 -0000 Maybe you are right. I'll try to set it up (switch to logging via ipfw) and see if there is something that I do not like in this config. Don't know why, I feel some discomfort while thinking about this solution. JH> On Fri, Jan 09, 2004 at 06:13:25PM +0300, freebsd@tern.ru wrote: >> Yes, I had thought about what you wrote. >> Because of this I mentioned that 'I do not want to turn off the "log >> in vain" feature.' JH> In that case I imagine you'd need to hack the kernel source code to make JH> it not log vain udp port 53 requests. I'm fairly sure it's an 'all or JH> nothing' sysctl mib/flag. JH> Why do you want to log those vain connection attempts using JH> 'log_in_vain' though? It would be a lot more suitable to use the JH> logging feature in ipfw2 and disable the log_in_vain feature completely. JH> Just my opinion though :P >> JH> On Fri, Jan 09, 2004 at 05:32:20PM +0300, freebsd@tern.ru wrote: >> >> Hi all >> >> >> >> I am trying to get rid of strings: >> >> kernel: Connection attempt to UDP FREEBSD_IP:port from DNSSERVER_IP:53 >> >> on my console and in log file >> >> >> >> I understand that those are replies on DNS queries that for some reason >> >> took too long time to be answered. >> >> I do not want to turn off the "log in vain" feature. >> >> >> >> As these strings fill up my log I am afraid to miss some sensitive >> >> messages (e.g. hacker's attack :) >> >> >> >> I'm using FreeBSD 5.1 with ipfw2 that allows via static rules both >> >> DNS queries and DNS replies. >> >> >> >> The main application that generates queries is sendmail. >> >> >> >> What can be done? >> JH> I believe those messages are generated if the following sysctl flag is >> JH> set: >> >> JH> net.inet.udp.log_in_vain >> >> JH> you can disable it by executing: >> >> JH> sysctl net.inet.udp.log_in_vain=0 >> >> JH> on the commandline. >> >> JH> Obviously though this will disable logging of all vain connection attempts using >> JH> the udp protocol. However if you have ipfw set up to log such attempts, >> JH> you don't really need that sysctl flag set anyway. >> >> JH> See also the tcp equivalant flag: >> >> JH> net.inet.tcp.log_in_vain >> >> JH> also see the manpage for rc.conf(5) regarding the log_in_vain rc.conf >> JH> setting. >> >> Alex. >> >> Alex. From owner-freebsd-security@FreeBSD.ORG Tue Jan 13 00:38:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6564316A4CE for ; Tue, 13 Jan 2004 00:38:02 -0800 (PST) Received: from mx1.webspacesolutions.com (ns1.webspacesolutions.com [216.74.11.68]) by mx1.FreeBSD.org (Postfix) with SMTP id 3661243D49 for ; Tue, 13 Jan 2004 00:38:01 -0800 (PST) (envelope-from nick@webspacesolutions.com) Received: (qmail 20010 invoked by uid 507); 13 Jan 2004 08:26:06 -0000 Received: from nick@webspacesolutions.com by ns1.webspacesolutions.com by uid 504 with qmail-scanner-1.20rc1 (clamuko: 0.65. spamassassin: 2.55. Clear:RC:1:. Processed in 0.019108 secs); 13 Jan 2004 08:26:06 -0000 Received: from 24-205-247-185.ata-cres.charterpipeline.net (HELO beastie) (24.205.247.185) by mx1.webspacesolutions.com with SMTP; 13 Jan 2004 08:26:06 -0000 From: "Nick Twaddell" To: Date: Tue, 13 Jan 2004 00:38:28 -0800 Organization: Web Space Solutions MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcPZsJ4bOUdeZ9jHTOaMxTCcfZ6M6g== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Qmail-Scanner-Message-ID: <107398236663620005@ns1.webspacesolutions.com> Message-Id: <20040113083801.3661243D49@mx1.FreeBSD.org> Subject: pam_chroot X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 08:38:02 -0000 Has anyone got the pam_chroot module to successfully work in FreeBSD? I have FreeBSD 5.2-RELEASE installed. I copied the appropriate binaries and libraries into my chroot, I can chroot -u test -g test /home/test /usr/local/bin/bash and it works perfectly. So now I am trying to get the pam module to work. I added session required pam_chroot.so debug into the /etc/pam.d/sshd file. I changed my passwd file so my home dir is /home/test/./ when I try to login as that user, it just kicks me right now. There are no errors in the log :( Connection to wp1 closed by remote host. Connection to wp1 closed. Maybe someone in here can help. Nick ---------------------------------------------------------------------------- -------- Nick Twaddell Web Space Solutions Ph: (805) 704-4038 Fx: (805) 434-2477 From owner-freebsd-security@FreeBSD.ORG Tue Jan 13 01:04:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED83016A4CE for ; Tue, 13 Jan 2004 01:04:16 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 7D4B143D69 for ; Tue, 13 Jan 2004 01:04:06 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 23516 invoked from network); 13 Jan 2004 09:01:43 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 13 Jan 2004 09:01:43 -0000 Received: (qmail 70348 invoked by uid 1000); 13 Jan 2004 09:04:18 -0000 Date: Tue, 13 Jan 2004 11:04:18 +0200 From: Peter Pentchev To: Nick Twaddell Message-ID: <20040113090417.GH711@straylight.m.ringlet.net> Mail-Followup-To: Nick Twaddell , freebsd-security@freebsd.org References: <20040113083801.3661243D49@mx1.FreeBSD.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dMdWWqg3F2Dv/qfw" Content-Disposition: inline In-Reply-To: <20040113083801.3661243D49@mx1.FreeBSD.org> User-Agent: Mutt/1.5.5.1i cc: freebsd-security@freebsd.org Subject: Re: pam_chroot X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 09:04:17 -0000 --dMdWWqg3F2Dv/qfw Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 13, 2004 at 12:38:28AM -0800, Nick Twaddell wrote: > Has anyone got the pam_chroot module to successfully work in FreeBSD? I > have FreeBSD 5.2-RELEASE installed. I copied the appropriate binaries and > libraries into my chroot, I can chroot -u test -g test /home/test > /usr/local/bin/bash and it works perfectly. So now I am trying to get the > pam module to work. I added > session required pam_chroot.so debug > into the /etc/pam.d/sshd file. I changed my passwd file so my home dir is > /home/test/./ >=20 > when I try to login as that user, it just kicks me right now. There are = no > errors in the log :( =20 >=20 > Connection to wp1 closed by remote host. > Connection to wp1 closed. >=20 > Maybe someone in here can help. What do you mean 'try to login as that user' - try to login as 'test', or something else? Do you have passwd, master.passwd, group, pwd.db and spwd.db files in the /home/test/etc/ directory? If not, copy the passwd, master.passwd and group files from your /etc/ directory, remove the entries you do not really need, then run pwd_mkdb /home/test/etc/master.passwd to build the pwd.db and spwd.db files. If that doesn't work, can you post the output of 'find /home/test -ls' G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 The rest of this sentence is written in Thailand, on --dMdWWqg3F2Dv/qfw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAA7SR7Ri2jRYZRVMRAm8SAKCi+thr9O4f0WsHlcFVNIZy8Ifz1wCfWYgb chyy8++78qn0TrxcMewMdQU= =lfn7 -----END PGP SIGNATURE----- --dMdWWqg3F2Dv/qfw-- From owner-freebsd-security@FreeBSD.ORG Mon Jan 12 10:33:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4EDE16A4CE; Mon, 12 Jan 2004 10:33:28 -0800 (PST) Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by mx1.FreeBSD.org (Postfix) with SMTP id B3E0343D39; Mon, 12 Jan 2004 10:33:27 -0800 (PST) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) Sender: dpelleg@gs166.sp.cs.cmu.edu To: Robert Watson References: From: Dan Pelleg Date: 12 Jan 2004 13:33:18 -0500 In-Reply-To: Message-ID: Lines: 27 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Tue, 13 Jan 2004 01:48:41 -0800 cc: freebsd-security@freebsd.org cc: David Edwards Subject: Re: Need some help on security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2004 18:33:29 -0000 Robert Watson writes: > On Sat, 10 Jan 2004, David Edwards wrote: > > > Anyway, on to the question, lastnight, the server stopped responding > > after someone tried to gain access to what looks to be web based > > printing. I am not familiar with any firewall/IDS solutions and have > > looked over Snort and IPFW today. I don't want to do IPFW because I > > don't want to recompile a kernel that works and potentially lose > > everything I have done so far. Here is a bit of the apache error_log > > which shows the issue i am refering to: > > > > [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not > > exist: /usr/home/dbcenter/public_html/NULL.printer > > [Sat Jan 10 01:34:04 2004] [error] [client 211.233.89.189] File does not > > exist: /usr/local/apache/htdocs/NULL.printer > > Well, these log entries are for attempted exploits of Microsoft's IIS, and > shouldn't be a problem. The error messages can safely be ignored. > Agreed. They can also be sent in a complaint to the appropriate admin. See the security/hunch port. -- Dan Pelleg From owner-freebsd-security@FreeBSD.ORG Tue Jan 13 03:30:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 789AC16A4CF for ; Tue, 13 Jan 2004 03:30:41 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D3B943D54 for ; Tue, 13 Jan 2004 03:30:39 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 637F1532B; Tue, 13 Jan 2004 12:30:38 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 0FDB85323; Tue, 13 Jan 2004 12:30:29 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 9B66633C6A; Tue, 13 Jan 2004 12:30:29 +0100 (CET) To: "Nick Twaddell" References: <20040113083801.3661243D49@mx1.FreeBSD.org> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Tue, 13 Jan 2004 12:30:29 +0100 In-Reply-To: <20040113083801.3661243D49@mx1.FreeBSD.org> (Nick Twaddell's message of "Tue, 13 Jan 2004 00:38:28 -0800") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on flood.des.no X-Spam-Level: ss X-Spam-Status: No, hits=2.6 required=5.0 tests=RCVD_IN_DYNABLOCK, RCVD_IN_SORBS autolearn=no version=2.61 cc: freebsd-security@freebsd.org Subject: Re: pam_chroot X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 11:30:41 -0000 "Nick Twaddell" writes: > Has anyone got the pam_chroot module to successfully work in FreeBSD? Yes. However, there seems to be a bug in OpenSSH 3.7.1 which prevents it from calling pam_open_session(). DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Jan 13 03:39:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8909316A4CE for ; Tue, 13 Jan 2004 03:39:04 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id E389043D1D for ; Tue, 13 Jan 2004 03:38:59 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 15285 invoked from network); 13 Jan 2004 11:36:33 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 13 Jan 2004 11:36:33 -0000 Received: (qmail 16955 invoked by uid 1000); 13 Jan 2004 11:39:05 -0000 Date: Tue, 13 Jan 2004 13:39:05 +0200 From: Peter Pentchev To: Dag-Erling Sm?rgrav Message-ID: <20040113113905.GI711@straylight.m.ringlet.net> Mail-Followup-To: Dag-Erling Sm?rgrav , Nick Twaddell , freebsd-security@freebsd.org References: <20040113083801.3661243D49@mx1.FreeBSD.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3CAnR4CLEnEWqRMR" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.5.1i cc: freebsd-security@freebsd.org cc: Nick Twaddell Subject: Re: pam_chroot X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 11:39:04 -0000 --3CAnR4CLEnEWqRMR Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 13, 2004 at 12:30:29PM +0100, Dag-Erling Sm?rgrav wrote: > "Nick Twaddell" writes: > > Has anyone got the pam_chroot module to successfully work in FreeBSD? >=20 > Yes. >=20 > However, there seems to be a bug in OpenSSH 3.7.1 which prevents it > from calling pam_open_session(). But didn't the original poster mention FreeBSD 5.2-RELEASE? I think you imported OpenSSH 3.7.1 *after* 5.2 was branched, right? He should be using OpenSSH 3.6.1p1.. are you, Nick? G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if pi were 3? --3CAnR4CLEnEWqRMR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAA9jZ7Ri2jRYZRVMRApIXAJ4oPiUSTh2O5Eo4BFpCQ/L1t7sMGwCgubaA Sn/sIZNsoA4QARUVUGm8xyY= =xEes -----END PGP SIGNATURE----- --3CAnR4CLEnEWqRMR-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 13 03:54:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFB6116A4CE for ; Tue, 13 Jan 2004 03:54:07 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4745B43D62 for ; Tue, 13 Jan 2004 03:54:04 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 23261532B; Tue, 13 Jan 2004 12:54:03 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 68BBC5323; Tue, 13 Jan 2004 12:53:54 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id F15FF33C6A; Tue, 13 Jan 2004 12:53:53 +0100 (CET) To: Nick Twaddell References: <20040113083801.3661243D49@mx1.FreeBSD.org> <20040113113905.GI711@straylight.m.ringlet.net> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Tue, 13 Jan 2004 12:53:53 +0100 In-Reply-To: <20040113113905.GI711@straylight.m.ringlet.net> (Peter Pentchev's message of "Tue, 13 Jan 2004 13:39:05 +0200") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on flood.des.no X-Spam-Level: ss X-Spam-Status: No, hits=2.6 required=5.0 tests=RCVD_IN_DYNABLOCK, RCVD_IN_SORBS autolearn=no version=2.61 cc: freebsd-security@freebsd.org Subject: Re: pam_chroot X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 11:54:07 -0000 Peter Pentchev writes: > But didn't the original poster mention FreeBSD 5.2-RELEASE? I think > you imported OpenSSH 3.7.1 *after* 5.2 was branched, right? He should > be using OpenSSH 3.6.1p1.. are you, Nick? In that case, it should work... that's what I was running when I wrote pam_chroot(8). DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Jan 13 03:56:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 223E416A4CE for ; Tue, 13 Jan 2004 03:56:32 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6200C43D68 for ; Tue, 13 Jan 2004 03:56:27 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 377A1532B; Tue, 13 Jan 2004 12:56:26 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 16A2F5323; Tue, 13 Jan 2004 12:56:17 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id B9D8233C6A; Tue, 13 Jan 2004 12:56:17 +0100 (CET) To: Nick Twaddell References: <20040113083801.3661243D49@mx1.FreeBSD.org> <20040113113905.GI711@straylight.m.ringlet.net> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Tue, 13 Jan 2004 12:56:17 +0100 In-Reply-To: (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav's?= message of "Tue, 13 Jan 2004 12:53:53 +0100") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on flood.des.no X-Spam-Level: ss X-Spam-Status: No, hits=2.6 required=5.0 tests=RCVD_IN_DYNABLOCK, RCVD_IN_SORBS autolearn=no version=2.61 cc: freebsd-security@freebsd.org Subject: Re: pam_chroot X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 11:56:32 -0000 waitasecond... now that I think about it, you may have to turn privsep off for pam_chroot to work. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Jan 13 08:41:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 206F616A4CE; Tue, 13 Jan 2004 08:41:33 -0800 (PST) Received: from ftp.bjpu.edu.cn (ftp.bjpu.edu.cn [202.112.78.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB12F43D48; Tue, 13 Jan 2004 08:41:30 -0800 (PST) (envelope-from delphij@frontfree.net) Received: by ftp.bjpu.edu.cn (Postfix, from userid 426) id D56E352D4; Wed, 14 Jan 2004 00:41:27 +0800 (CST) Received: from beastie.frontfree.net (beastie.frontfree.net [218.107.145.7]) by ftp.bjpu.edu.cn (Postfix) with ESMTP id 8F7295299; Wed, 14 Jan 2004 00:41:27 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 426) id 1630B118C4; Wed, 14 Jan 2004 00:41:26 +0800 (CST) Received: from phantasm205 (unknown [221.216.126.213]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by beastie.frontfree.net (Postfix) with ESMTP id 5A2FA116AA; Wed, 14 Jan 2004 00:41:24 +0800 (CST) Message-ID: <02f201c3d9f4$15c51130$0401a8c0@phantasm205> From: "Xin LI" To: Date: Wed, 14 Jan 2004 00:41:23 +0800 Organization: Phantasm Studio MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 cc: security-officer@FreeBSD.org cc: peter@FreeBSD.org Subject: Request to upgrade cvs in FreeBSD [New stable cvs release fixing new vulnerability?] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 16:41:33 -0000 Greetings, Peter and the Security Officers team, There is a minor security vulnerability in cvs prior 1.11.10, as described in CAN-2003-0977: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977 On December 10th, 2003, itojun has imported cvs 1.11.10 into NetBSD, as the follows: http://mail-index.netbsd.org/source-changes/2003/12/10/0025.html http://mail-index.netbsd.org/source-changes/2003/12/10/0026.html After a week it has been 'pulled-up' (MFC in our convention) to 1.6 branch: http://mail-index.netbsd.org/source-changes/2003/12/17/0020.html http://mail-index.netbsd.org/source-changes/2003/12/17/0021.html itojun has clarified the update on this post: http://mail-index.netbsd.org/tech-userlevel/2003/12/10/0003.html Then I posted a request on this list, having CC'ed to peter@, so@ and re@: http://lists.freebsd.org/pipermail/freebsd-security/2003-December/001286.html Colin Percival then replied with a patch to mitigate the problem, which should be easy to audited: http://lists.freebsd.org/pipermail/freebsd-security/2003-December/001299.html Unfortunately, before we have taken any steps (importing a new cvs version is not so trivial and I guess that's the reason why you have not done it), cvs 1.11.11 has been released, and imported into NetBSD: http://mail-index.netbsd.org/source-changes/2004/01/02/0021.html http://mail-index.netbsd.org/source-changes/2004/01/02/0022.html Which mentions Gentoo Linux's security advisory, GLSA-200312-08, for your information, is available on BugTraq: http://www.securityfocus.com/archive/1/348448 So would you please consider a similar action to be taken place in FreeBSD? Or, are we really not affected by this? Thanks in advance! Xin LI Repo-meister, Project Coordinator and Liaison The FreeBSD Simplified Chinese Project From owner-freebsd-security@FreeBSD.ORG Tue Jan 13 08:59:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25AC416A4CF; Tue, 13 Jan 2004 08:59:03 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CF8F43D6A; Tue, 13 Jan 2004 08:58:55 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id A903E5482B; Tue, 13 Jan 2004 10:58:54 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 65DA76D45F; Tue, 13 Jan 2004 10:58:54 -0600 (CST) Date: Tue, 13 Jan 2004 10:58:54 -0600 From: "Jacques A. Vidrine" To: Xin LI Message-ID: <20040113165854.GC50458@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Xin LI , freebsd-security@freebsd.org, peter@FreeBSD.org, security-officer@FreeBSD.org References: <02f201c3d9f4$15c51130$0401a8c0@phantasm205> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <02f201c3d9f4$15c51130$0401a8c0@phantasm205> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org cc: security-officer@FreeBSD.org cc: peter@FreeBSD.org Subject: Re: Request to upgrade cvs in FreeBSD [New stable cvs release fixing new vulnerability?] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 16:59:03 -0000 On Wed, Jan 14, 2004 at 12:41:23AM +0800, Xin LI wrote: > So would you please consider a similar action to be taken place in > FreeBSD? CVS is Peter's baby, and I am loathe to touch it. Maybe he'll tell us his near-term plans. Cheers, -- Jacques Vidrine NTT/Verio SME FreeBSD UNIX Heimdal nectar@celabo.org jvidrine@verio.net nectar@freebsd.org nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Jan 13 10:19:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 820F316A4CE for ; Tue, 13 Jan 2004 10:19:33 -0800 (PST) Received: from mx1.webspacesolutions.com (ns1.webspacesolutions.com [216.74.11.68]) by mx1.FreeBSD.org (Postfix) with SMTP id 3380D43D5C for ; Tue, 13 Jan 2004 10:19:32 -0800 (PST) (envelope-from nick@webspacesolutions.com) Received: (qmail 14301 invoked by uid 507); 13 Jan 2004 18:07:30 -0000 Received: from nick@webspacesolutions.com by ns1.webspacesolutions.com by uid 504 with qmail-scanner-1.20rc1 (clamuko: 0.65. spamassassin: 2.55. Clear:RC:1:. Processed in 0.019341 secs); 13 Jan 2004 18:07:30 -0000 Received: from 24-205-247-185.ata-cres.charterpipeline.net (HELO beastie) (24.205.247.185) by mx1.webspacesolutions.com with SMTP; 13 Jan 2004 18:07:30 -0000 From: "Nick Twaddell" To: "'Peter Pentchev'" , Date: Tue, 13 Jan 2004 10:20:34 -0800 Organization: Web Space Solutions MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <20040113164950.GA722@straylight.m.ringlet.net> Thread-Index: AcPZ86XkqxQqTZvNSh2rLNWMlPjACwADgyKw X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Qmail-Scanner-Message-ID: <107401725063614296@ns1.webspacesolutions.com> Message-Id: <20040113181932.3380D43D5C@mx1.FreeBSD.org> Subject: RE: pam_chroot X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 18:19:33 -0000 I do have PrivilegeSeparation off :( Whats the next idea? :) -----Original Message----- From: Peter Pentchev [mailto:roam@ringlet.net] Sent: Tuesday, January 13, 2004 8:50 AM To: Nick Twaddell Subject: Re: pam_chroot On Tue, Jan 13, 2004 at 01:24:18AM -0800, Nick Twaddell wrote: > Hey Peter, > Yes I have all those files in my /home/user/etc/ dir > > -su-2.05b# pwd > /home/nick/etc > -su-2.05b# ls > group master.passwd passwd pwd.db spwd.db > > attached is the list of files you requested. All of this looks fine... Could you try turning off the 'privilege separation' feature of OpenSSH, as per Dag-Erling's suggestion in another message? Edit your /etc/sshd_config file, find the line that says 'PrivilegeSeparation', uncomment it if needed, and make sure it says 'off'. After that, restart your master sshd server, e.g. using the following command: kill -HUP `cat /var/run/sshd.pid` G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I had to translate this sentence into English because I could not read the original Sanskrit. From owner-freebsd-security@FreeBSD.ORG Tue Jan 13 14:29:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FEF916A4CF for ; Tue, 13 Jan 2004 14:29:07 -0800 (PST) Received: from kestrel.alerce.com (kestrel.alerce.com [209.182.219.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F85B43D2F for ; Tue, 13 Jan 2004 14:28:53 -0800 (PST) (envelope-from hartzell@kestrel.alerce.com) Received: from rosebud.alerce.com (w095.z064001164.sjc-ca.dsl.cnc.net [64.1.164.95]) (authenticated bits=128) by kestrel.alerce.com (8.12.10/8.12.10) with ESMTP id i0DMSpLN069534 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 13 Jan 2004 14:28:52 -0800 (PST) (envelope-from hartzell@kestrel.alerce.com) Received: from rosebud.alerce.com (localhost [127.0.0.1]) by rosebud.alerce.com (8.12.9p2/8.12.9) with ESMTP id i0DMSnjv005816 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Tue, 13 Jan 2004 14:28:51 -0800 (PST) (envelope-from hartzell@rosebud.alerce.com) Received: (from hartzell@localhost) by rosebud.alerce.com (8.12.9p2/8.12.9/Submit) id i0DMSnqs005813; Tue, 13 Jan 2004 14:28:49 -0800 (PST) (envelope-from hartzell) From: George Hartzell MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16388.28960.595527.20394@rosebud.alerce.com> Date: Tue, 13 Jan 2004 14:28:48 -0800 To: freebsd-security@freebsd.org X-Mailer: VM 7.14 under 21.4 (patch 14) "Reasonable Discussion" XEmacs Lucid X-Virus-Scanned: ClamAV version 'clamd / ClamAV version devel-20031103', clamav-milter version '0.60n' Subject: IPSEC btwn stable and Linksys BEFVP41 stopped working. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hartzell@kestrel.alerce.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2004 22:29:07 -0000 Hi, I have been using IPsec to communicate between a laptop that tracks -stable and a Linksys BEFVP41 router. I only use it infrequently, but it's been working great. My setup is as described in http://grapeape.alerce.com/linksys-ipsec/article.html (which I am planning to submit to the handbook when it's done). I'm no longer able to make an ipsec connection, and I can't put my finger on anything that's changed. The most obvious candidate is the move from 4.8 to 4.9. It could also be that something involving the racoon port needs to move forward to match 4.9? I have recompiled the version of the port that I'm using, distinfo says: MD5 (racoon-20030711a.tar.gz) = 0546688efd5bb3725c8243045500a48a I'm loath to start blindly updating everything in sight, and since none of the comments in the racoon CVS directory talk about "fixing it for 4.9" or anything, I've been sticking with what I have for now. I have two hopefully useful pieces of information. Here's a trace from "racoon -F -d -f racoon.conf" 2004-01-13 13:36:39: INFO: main.c:172:main(): @(#)package version freebsd-20030711a 2004-01-13 13:36:39: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net 2004-01-13 13:36:39: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7c 30 Sep 2003 (http://www.openssl.org/) 2004-01-13 13:36:39: DEBUG: pfkey.c:371:pfkey_init(): call pfkey_send_register for AH 2004-01-13 13:36:39: DEBUG: pfkey.c:371:pfkey_init(): call pfkey_send_register for ESP 2004-01-13 13:36:39: DEBUG: pfkey.c:371:pfkey_init(): call pfkey_send_register for IPCOMP 2004-01-13 13:36:39: DEBUG: cftoken.l:549:yycf_set_buffer(): reading config file /usr/local/etc/racoon/racoon.conf 2004-01-13 13:36:39: DEBUG: algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024) 2004-01-13 13:36:39: DEBUG: pfkey.c:2310:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it. 2004-01-13 13:36:39: DEBUG: grabmyaddr.c:204:grab_myaddrs(): my interface: 64.1.164.95 (fxp0) 2004-01-13 13:36:39: DEBUG: grabmyaddr.c:204:grab_myaddrs(): my interface: fe80::a00:46ff:fe07:71d5%fxp0 (fxp0) 2004-01-13 13:36:39: DEBUG: grabmyaddr.c:204:grab_myaddrs(): my interface: ::1 (lo0) 2004-01-13 13:36:39: DEBUG: grabmyaddr.c:204:grab_myaddrs(): my interface: fe80::1%lo0 (lo0) 2004-01-13 13:36:39: DEBUG: grabmyaddr.c:204:grab_myaddrs(): my interface: 127.0.0.1 (lo0) 2004-01-13 13:36:39: DEBUG: grabmyaddr.c:471:autoconf_myaddrsport(): configuring default isakmp port. 2004-01-13 13:36:39: DEBUG: grabmyaddr.c:493:autoconf_myaddrsport(): 5 addrs are configured successfully 2004-01-13 13:36:39: INFO: isakmp.c:1358:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=5) 2004-01-13 13:36:39: INFO: isakmp.c:1358:isakmp_open(): fe80::1%lo0[500] used as isakmp port (fd=6) 2004-01-13 13:36:39: INFO: isakmp.c:1358:isakmp_open(): ::1[500] used as isakmp port (fd=7) 2004-01-13 13:36:39: INFO: isakmp.c:1358:isakmp_open(): fe80::a00:46ff:fe07:71d5%fxp0[500] used as isakmp port (fd=8) 2004-01-13 13:36:39: INFO: isakmp.c:1358:isakmp_open(): 64.1.164.95[500] used as isakmp port (fd=9) 2004-01-13 13:36:39: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message 2004-01-13 13:36:39: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message 2004-01-13 13:36:39: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff828: 64.1.164.95/32[0] 192.168.1.0/24[0] proto=any dir=out 2004-01-13 13:36:39: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a1c08: 192.168.1.0/24[0] 64.1.164.95/32[0] proto=any dir=in 2004-01-13 13:36:41: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message 2004-01-13 13:36:41: DEBUG: pfkey.c:1557:pk_recvacquire(): suitable outbound SP found: 64.1.164.95/32[0] 192.168.1.0/24[0] proto=any dir=out. 2004-01-13 13:36:41: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff814: 192.168.1.0/24[0] 64.1.164.95/32[0] proto=any dir=in 2004-01-13 13:36:41: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a1c08: 192.168.1.0/24[0] 64.1.164.95/32[0] proto=any dir=in 2004-01-13 13:36:41: DEBUG: pfkey.c:1573:pk_recvacquire(): suitable inbound SP found: 192.168.1.0/24[0] 64.1.164.95/32[0] proto=any dir=in. 2004-01-13 13:36:41: DEBUG: pfkey.c:1612:pk_recvacquire(): new acquire 64.1.164.95/32[0] 192.168.1.0/24[0] proto=any dir=out 2004-01-13 13:36:41: DEBUG: sainfo.c:112:getsainfo(): anonymous sainfo selected. 2004-01-13 13:36:41: DEBUG: proposal.c:825:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 2004-01-13 13:36:41: DEBUG: proposal.c:859:printsatrns(): (trns_id=3DES encklen=0 authtype=2) 2004-01-13 13:36:41: DEBUG: remoteconf.c:129:getrmconf(): anonymous configuration selected for 64.1.164.92. 2004-01-13 13:36:41: INFO: isakmp.c:1684:isakmp_post_acquire(): IPsec-SA request for 64.1.164.92 queued due to no phase1 found. 2004-01-13 13:36:41: DEBUG: isakmp.c:793:isakmp_ph1begin_i(): === 2004-01-13 13:36:41: INFO: isakmp.c:798:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 64.1.164.95[500]<=>64.1.164.92[500] 2004-01-13 13:36:41: INFO: isakmp.c:803:isakmp_ph1begin_i(): begin Identity Protection mode. 2004-01-13 13:36:41: DEBUG: isakmp.c:1996:isakmp_newcookie(): new cookie: 3a7de03600b9ca1e 2004-01-13 13:36:41: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload of len 52, next type 0 2004-01-13 13:36:41: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin. 36:41.616852 64.1.164.95:500 -> 64.1.164.92:500: isakmp 1.0 msgid 00000000: phase 1 I ident: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration len=4 value=00015180)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024)))) 2004-01-13 13:36:41: DEBUG: sockmisc.c:421:sendfromto(): sockname 64.1.164.95[500] 2004-01-13 13:36:41: DEBUG: sockmisc.c:423:sendfromto(): send packet from 64.1.164.95[500] 2004-01-13 13:36:41: DEBUG: sockmisc.c:425:sendfromto(): send packet to 64.1.164.92[500] 2004-01-13 13:36:41: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 84 bytes message will be sent to 64.1.164.92[500] 2004-01-13 13:36:41: DEBUG: plog.c:193:plogdump(): 3a7de036 00b9ca1e 00000000 00000000 01100200 00000000 00000054 00000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020002 80040002 2004-01-13 13:36:41: DEBUG: isakmp.c:1449:isakmp_ph1resend(): resend phase1 packet 3a7de03600b9ca1e:0000000000000000 2004-01-13 13:36:50: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message 2004-01-13 13:36:50: DEBUG: pfkey.c:1541:pk_recvacquire(): ignore the acquire becuase ph2 found 2004-01-13 13:36:51: DEBUG: sockmisc.c:421:sendfromto(): sockname 64.1.164.95[500] 2004-01-13 13:36:51: DEBUG: sockmisc.c:423:sendfromto(): send packet from 64.1.164.95[500] 2004-01-13 13:36:51: DEBUG: sockmisc.c:425:sendfromto(): send packet to 64.1.164.92[500] 2004-01-13 13:36:51: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 84 bytes message will be sent to 64.1.164.92[500] 2004-01-13 13:36:51: DEBUG: plog.c:193:plogdump(): 3a7de036 00b9ca1e 00000000 00000000 01100200 00000000 00000054 00000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020002 80040002 2004-01-13 13:36:51: DEBUG: isakmp.c:1449:isakmp_ph1resend(): resend phase1 packet 3a7de03600b9ca1e:0000000000000000 ^C2004-01-13 13:36:53: INFO: session.c:299:check_sigreq(): caught signal 2 2004-01-13 13:36:53: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey FLUSH message 2004-01-13 13:36:53: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted. 2004-01-13 13:36:54: DEBUG: pfkey.c:271:pfkey_dump_sadb(): call pfkey_send_dump 2004-01-13 13:36:54: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted. 2004-01-13 13:36:54: INFO: session.c:180:close_session(): racoon shutdown And when I have a ping running that should be going over the tunnel, the Linksys logs this: 2004-01-13 13:36:51 **IKE incoming packet dropped : unknown peer ! 2004-01-13 13:36:51 Received: IP=64.1.164.95 I_Cookie=[3a 7d e0 36 00 b9 ca 1e ] R_Cookie=[00 00 00 00 00 00 00 00 ] All of the examples of packets w/ I_cookies I could find by googling also had values for the R_cookie field..... Does this ring any bells for anyone. Can someone point me in a useful direction? g. From owner-freebsd-security@FreeBSD.ORG Wed Jan 14 05:42:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1526216A4CE for ; Wed, 14 Jan 2004 05:42:21 -0800 (PST) Received: from corb.mc.mpls.visi.com (corb.mc.mpls.visi.com [208.42.156.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18B9343D1D for ; Wed, 14 Jan 2004 05:42:18 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by corb.mc.mpls.visi.com (Postfix) with ESMTP id 2223788DA for ; Wed, 14 Jan 2004 07:42:17 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id i0EDgFq21324 for freebsd-security@freebsd.org; Wed, 14 Jan 2004 07:42:15 -0600 (CST) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Wed, 14 Jan 2004 07:42:15 -0600 From: D J Hawkey Jr To: security at FreeBSD Message-ID: <20040114134215.GA21307@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 13:42:21 -0000 Hi all. This might seem really naive, but can mtree be used effectively as a native-to-core-OS tripwire equivalent? Would it be as efficient in terms of time-to-run and resource requirements? What sort of pitfalls should I be aware of? Has anyone here done this? If so, would you care to share your scripts/techniques? Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Wed Jan 14 10:09:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2E3E16A4CE for ; Wed, 14 Jan 2004 10:09:13 -0800 (PST) Received: from mongers.org (miracle.mongers.org [193.162.142.71]) by mx1.FreeBSD.org (Postfix) with SMTP id 3062D43D2F for ; Wed, 14 Jan 2004 10:09:12 -0800 (PST) (envelope-from jlouis@mongers.org) Received: (qmail 31105 invoked by uid 1030); 14 Jan 2004 18:09:31 -0000 From: "Jesper Louis Andersen" Date: Wed, 14 Jan 2004 19:09:31 +0100 To: D J Hawkey Jr Message-ID: <20040114180931.GA17074@miracle.mongers.org> References: <20040114134215.GA21307@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <20040114134215.GA21307@sheol.localdomain> User-Agent: Mutt/1.4.1i cc: security at FreeBSD Subject: Re: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 18:09:13 -0000 Quoting D J Hawkey Jr (hawkeyd@visi.com): > This might seem really naive, but can mtree be used effectively as > a native-to-core-OS tripwire equivalent? Would it be as efficient in > terms of time-to-run and resource requirements? > > What sort of pitfalls should I be aware of? Yes, it can: Pro: distributed with base Con: Only available for *BSD architectures as far as my knowledge goes. What it means is that if you want to cryptographically hash a Linux-box tripwire might be better to use because you would get a common interface across your platforms. On the other hand, last time I looked tripwire was a magnificient piece of bloat. -- j. From owner-freebsd-security@FreeBSD.ORG Wed Jan 14 10:22:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33AE216A4CE for ; Wed, 14 Jan 2004 10:22:05 -0800 (PST) Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EBCE43D31 for ; Wed, 14 Jan 2004 10:22:02 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by conn.mc.mpls.visi.com (Postfix) with ESMTP id EB2AA893D; Wed, 14 Jan 2004 12:21:54 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id i0EILsK22465; Wed, 14 Jan 2004 12:21:54 -0600 (CST) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Wed, 14 Jan 2004 12:21:54 -0600 From: D J Hawkey Jr To: Jesper Louis Andersen Message-ID: <20040114182154.GA22444@sheol.localdomain> References: <20040114134215.GA21307@sheol.localdomain> <20040114180931.GA17074@miracle.mongers.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040114180931.GA17074@miracle.mongers.org> User-Agent: Mutt/1.4.1i cc: security at FreeBSD Subject: Re: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 18:22:05 -0000 On Jan 14, at 07:09 PM, Jesper Louis Andersen wrote: > > > This might seem really naive, but can mtree be used effectively as > > a native-to-core-OS tripwire equivalent? Would it be as efficient in > > terms of time-to-run and resource requirements? > > Pro: distributed with base > Con: Only available for *BSD architectures as far as my knowledge goes. I'm aware of both, yes; hence my question. FreeBSD is all I'm dealing with, where my question is concerned. Is your reply from personal experience, or is it the same "Hey, it could..." as is my question? If the former, would you elaborate on the implementation details? Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Wed Jan 14 10:38:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC06B16A4D3 for ; Wed, 14 Jan 2004 10:38:55 -0800 (PST) Received: from theinternet.com.au (c211-30-103-113.carlnfd1.nsw.optusnet.com.au [211.30.103.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id A16FD43D5D for ; Wed, 14 Jan 2004 10:38:53 -0800 (PST) (envelope-from akm@theinternet.com.au) Received: from theinternet.com.au (akm@localhost [127.0.0.1]) by theinternet.com.au (8.12.9/8.12.9) with ESMTP id i0EIcotN057845; Thu, 15 Jan 2004 05:38:50 +1100 (EST) (envelope-from akm@theinternet.com.au) Received: (from akm@localhost) by theinternet.com.au (8.12.9/8.12.9/Submit) id i0EIcoAk057844; Thu, 15 Jan 2004 05:38:50 +1100 (EST) Date: Thu, 15 Jan 2004 05:38:50 +1100 From: Andrew Kenneth Milton To: D J Hawkey Jr Message-ID: <20040114183850.GM57209@zeus.theinternet.com.au> References: <20040114134215.GA21307@sheol.localdomain> <20040114180931.GA17074@miracle.mongers.org> <20040114182154.GA22444@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040114182154.GA22444@sheol.localdomain> User-Agent: Mutt/1.4.1i cc: security at FreeBSD cc: Jesper Louis Andersen Subject: Re: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 18:38:55 -0000 +-------[ D J Hawkey Jr ]---------------------- | On Jan 14, at 07:09 PM, Jesper Louis Andersen wrote: | > | > > This might seem really naive, but can mtree be used effectively as | > > a native-to-core-OS tripwire equivalent? Would it be as efficient in | > > terms of time-to-run and resource requirements? | > | > Pro: distributed with base | > Con: Only available for *BSD architectures as far as my knowledge goes. | | I'm aware of both, yes; hence my question. FreeBSD is all I'm dealing | with, where my question is concerned. | | Is your reply from personal experience, or is it the same "Hey, it | could..." as is my question? If the former, would you elaborate on the | implementation details? The manpage for mtree has an example... -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | M:+61 416 022 411 | ACN: 082 081 472 ABN: 83 082 081 472 |akm@theinternet.com.au| Carpe Daemon From owner-freebsd-security@FreeBSD.ORG Wed Jan 14 10:49:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B22E316A4CE for ; Wed, 14 Jan 2004 10:49:12 -0800 (PST) Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6FDCF43D1F for ; Wed, 14 Jan 2004 10:49:09 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by conn.mc.mpls.visi.com (Postfix) with ESMTP id 6955A8946; Wed, 14 Jan 2004 12:49:08 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id i0EIn7N22945; Wed, 14 Jan 2004 12:49:07 -0600 (CST) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Wed, 14 Jan 2004 12:49:07 -0600 From: D J Hawkey Jr To: Andrew Kenneth Milton Message-ID: <20040114184907.GA22901@sheol.localdomain> References: <20040114134215.GA21307@sheol.localdomain> <20040114180931.GA17074@miracle.mongers.org> <20040114182154.GA22444@sheol.localdomain> <20040114183850.GM57209@zeus.theinternet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040114183850.GM57209@zeus.theinternet.com.au> User-Agent: Mutt/1.4.1i cc: security at FreeBSD Subject: Re: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 18:49:12 -0000 On Jan 15, at 05:38 AM, Andrew Kenneth Milton wrote: > > The manpage for mtree has an example... The 4.5-REL man page has a "suggestion", where using it as an IDS is concerned; that's what spurred my post. I'm looking for insights as to "fleshing it out"; I can't imagine that it's as straightforward as it appears - though it just might be, based on other replys. :-) Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Wed Jan 14 11:17:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1897716A4CE for ; Wed, 14 Jan 2004 11:17:24 -0800 (PST) Received: from web12606.mail.yahoo.com (web12606.mail.yahoo.com [216.136.173.229]) by mx1.FreeBSD.org (Postfix) with SMTP id 2318843D45 for ; Wed, 14 Jan 2004 11:17:23 -0800 (PST) (envelope-from bj93542@yahoo.com) Message-ID: <20040114191722.88525.qmail@web12606.mail.yahoo.com> Received: from [128.226.68.47] by web12606.mail.yahoo.com via HTTP; Wed, 14 Jan 2004 11:17:22 PST Date: Wed, 14 Jan 2004 11:17:22 -0800 (PST) From: Dorin H To: hawkeyd@visi.com In-Reply-To: <20040114134215.GA21307@sheol.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 19:17:24 -0000 --- D J Hawkey Jr wrote: > Hi all. > > This might seem really naive, but can mtree be used > effectively as > a native-to-core-OS tripwire equivalent? Would it be > as efficient in > terms of time-to-run and resource requirements? > Theoretically, and practical for small configurations, yes. > What sort of pitfalls should I be aware of? > IMHO, you can use any tool you want to compute some "signature" for files you deem relevant. But you have to carefully consider the scalability problem, the problem of false/negatives (how you/your program deal with a modified file? bin/config/data/tmp file) and so on. Tripwire (coorect me if I am wrong, but last time I looked it was still to be updated in FreeBSD, focus was on "aide") is a targetted tool that helps with the information management... probably bloated :). Like any tool, it is up to you to decide what's useful or not ;) HTH, /Dorin. > Has anyone here done this? If so, would you care to > share your > scripts/techniques? > > Thanks, > Dave > > -- > ______________________ > ______________________ > \__________________ \ D. J. HAWKEY JR. / > __________________/ > \________________/\ hawkeyd@visi.com > /\________________/ > http://www.visi.com/~hawkeyd/ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus From owner-freebsd-security@FreeBSD.ORG Thu Jan 15 01:58:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB8DB16A4CE for ; Thu, 15 Jan 2004 01:58:06 -0800 (PST) Received: from nbh-gw.newchem.ru (platan.newchem.ru [81.3.149.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D58F43D4C for ; Thu, 15 Jan 2004 01:58:04 -0800 (PST) (envelope-from illich@newchem.ru) Received: from 127.0.0.1 ([192.168.204.4]) by nbh-gw.newchem.ru (8.12.9/8.12.7) with ESMTP id i0F9w2Ut038757 for ; Thu, 15 Jan 2004 12:58:02 +0300 (MSK) (envelope-from illich@newchem.ru) X-AntiVirus: Checked by Dr.Web (http://www.drweb.net) Date: Thu, 15 Jan 2004 12:58:02 +0300 From: Illia Baidakov X-Mailer: The Bat! (v1.62q) Personal X-Priority: 3 (Normal) Message-ID: <287929591.20040115125802@newchem.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: kerberos5 authentication of ssh connections X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Illia Baidakov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jan 2004 09:58:06 -0000 Hello freebsd-security! What is the best way to authenticate remote ssh users transparantly without typing the kinit and kdestroy commands? Using pam_krb5 works satisfactorily for local logins but makes it crooked for remote ssh ones. The comp.protocols.kerberos and comp.security.ssh newsgroups and the pam-krb5-users maillist confirm this assertion. As far as I understood that using kerberized login.krb5 tool implys removing (or hiding) native login program and substituting it by the login.krb5, say as symbolic link, isn't it? The possibility of selecting one of two or more authentication methods as in case of pam may be useful say if I need to pass users to exploiting kerberized applications gradually, and even more that when I suffering problems with my KDCs or network connections. IMHO using pam_krb5 for kerberized login is some superfluous. -- Thanks in advance Illia Baidakov. From owner-freebsd-security@FreeBSD.ORG Wed Jan 14 10:25:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3754816A4CE for ; Wed, 14 Jan 2004 10:25:49 -0800 (PST) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC59743D46 for ; Wed, 14 Jan 2004 10:25:46 -0800 (PST) (envelope-from phk@phk.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.10/8.12.10) with ESMTP id i0EIPddN026260; Wed, 14 Jan 2004 19:25:39 +0100 (CET) (envelope-from phk@phk.freebsd.dk) To: hawkeyd@visi.com From: "Poul-Henning Kamp" In-Reply-To: Your message of "Wed, 14 Jan 2004 12:21:54 CST." <20040114182154.GA22444@sheol.localdomain> Date: Wed, 14 Jan 2004 19:25:39 +0100 Message-ID: <26259.1074104739@critter.freebsd.dk> X-Mailman-Approved-At: Thu, 15 Jan 2004 02:56:02 -0800 cc: security at FreeBSD cc: Jesper Louis Andersen Subject: Re: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 18:25:49 -0000 In message <20040114182154.GA22444@sheol.localdomain>, D J Hawkey Jr writes: >On Jan 14, at 07:09 PM, Jesper Louis Andersen wrote: >> >> > This might seem really naive, but can mtree be used effectively as >> > a native-to-core-OS tripwire equivalent? Would it be as efficient in >> > terms of time-to-run and resource requirements? >> >> Pro: distributed with base >> Con: Only available for *BSD architectures as far as my knowledge goes. > >I'm aware of both, yes; hence my question. FreeBSD is all I'm dealing >with, where my question is concerned. > >Is your reply from personal experience, or is it the same "Hey, it >could..." as is my question? If the former, would you elaborate on the >implementation details? Mtree works as well if not slightly better (knows about file-flags) on FreeBSD. I'm using mtree a lot for various purposes, including a contents-addressable archive system I've been using to make backups of my home-dir for a couple of years. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Wed Jan 14 10:27:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8150216A4CE for ; Wed, 14 Jan 2004 10:27:57 -0800 (PST) Received: from horsey.gshapiro.net (horsey.gshapiro.net [64.105.95.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id 691A743D6B for ; Wed, 14 Jan 2004 10:27:56 -0800 (PST) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (localhost [127.0.0.1]) id i0EIRtEO031126 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 Jan 2004 10:27:55 -0800 (PST) Received: (from gshapiro@localhost)i0EIRtX2031125; Wed, 14 Jan 2004 10:27:55 -0800 (PST) Date: Wed, 14 Jan 2004 10:27:55 -0800 From: Gregory Neil Shapiro To: D J Hawkey Jr Message-ID: <20040114182755.GX50342@horsey.gshapiro.net> References: <20040114134215.GA21307@sheol.localdomain> <20040114180931.GA17074@miracle.mongers.org> <20040114182154.GA22444@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040114182154.GA22444@sheol.localdomain> User-Agent: Mutt/1.5.5.1i X-Mailman-Approved-At: Thu, 15 Jan 2004 02:56:02 -0800 cc: security at FreeBSD Subject: Re: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 18:27:57 -0000 > Is your reply from personal experience, or is it the same "Hey, it > could..." as is my question? If the former, would you elaborate on the > implementation details? I use: mtree -K sha1digest -c -X mtree.exclude -p / > mtree.out where mtree.exclude is: ./home ./mnt ./proc ./tmp ./var/account ./var/backups ./var/db ./var/imap ./var/lock ./var/log ./var/mail ./var/run ./var/spool ./var/tmp Although I am sure there is a better way to do it with mtree, to see if something has changed, I repeat the process and diff the output. From owner-freebsd-security@FreeBSD.ORG Wed Jan 14 13:56:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D966B16A4CE for ; Wed, 14 Jan 2004 13:56:30 -0800 (PST) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6AD1143D69 for ; Wed, 14 Jan 2004 13:56:27 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: from khavrinen.lcs.mit.edu (localhost.nic.fr [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.9/8.12.9) with ESMTP id i0ELuPDa018031 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK CN=khavrinen.lcs.mit.edu issuer=SSL+20Client+20CA); Wed, 14 Jan 2004 16:56:26 -0500 (EST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.9/8.12.9/Submit) id i0ELuPTE018028; Wed, 14 Jan 2004 16:56:25 -0500 (EST) (envelope-from wollman) Date: Wed, 14 Jan 2004 16:56:25 -0500 (EST) From: Garrett Wollman Message-Id: <200401142156.i0ELuPTE018028@khavrinen.lcs.mit.edu> To: hawkeyd@visi.com In-Reply-To: <20040114134215.GA21307@sheol.localdomain> References: <20040114134215.GA21307@sheol.localdomain> X-Spam-Score: -9.9 () IN_REP_TO,REFERENCES X-Scanned-By: MIMEDefang 2.37 X-Mailman-Approved-At: Thu, 15 Jan 2004 02:56:02 -0800 cc: security at FreeBSD Subject: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 21:56:31 -0000 < said: > What sort of pitfalls should I be aware of? mtree files don't scale very well, and to make proper use of them for this purpose requires a great deal more thought. Tripwire is a bit more "pre-thunk", and uses a database instead of a flat file, which speeds updates. (With mtree you'd have to rescan the entire filesystem.) -GAWollman From owner-freebsd-security@FreeBSD.ORG Thu Jan 15 07:26:22 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A10A16A4D9 for ; Thu, 15 Jan 2004 07:26:22 -0800 (PST) Received: from nbh-gw.newchem.ru (platan.newchem.ru [81.3.149.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC50743D58 for ; Thu, 15 Jan 2004 07:26:18 -0800 (PST) (envelope-from illich@newchem.ru) Received: from 127.0.0.1 ([192.168.204.4]) by nbh-gw.newchem.ru (8.12.9/8.12.7) with ESMTP id i0FFQHUt046592 for ; Thu, 15 Jan 2004 18:26:17 +0300 (MSK) (envelope-from illich@newchem.ru) X-AntiVirus: Checked by Dr.Web (http://www.drweb.net) Date: Thu, 15 Jan 2004 18:26:16 +0300 From: Illia Baidakov X-Mailer: The Bat! (v1.62q) Personal X-Priority: 3 (Normal) Message-ID: <1708327497.20040115182616@newchem.ru> To: freebsd-security@freebsd.org In-Reply-To: <20040115075502.V4761@yvguvhz.pnzhyhf.bet> References: <287929591.20040115125802@newchem.ru> <20040115075502.V4761@yvguvhz.pnzhyhf.bet> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: kerberos5 authentication of ssh connections X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Illia Baidakov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jan 2004 15:26:22 -0000 Hello Thursday, January 15, 2004, 4:57:49 PM, you wrote: ACJ> Have you tried the port 'openssh-portable'? I have been using it with ACJ> krb5 authentication for about a month. It seems to be working fine. Namely 3.7.1p2. After reading over the man sshd_config once again I have caught difference between KerberosAuthentication and GSSAPIAuthentication types and between them and using pam_krb5. Apologize for disturbance. -- Best regards, Illia Baidakov. From owner-freebsd-security@FreeBSD.ORG Thu Jan 15 22:09:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5D9E16A4CE for ; Thu, 15 Jan 2004 22:09:23 -0800 (PST) Received: from mail.ubergeeks.com (lorax.ubergeeks.com [209.145.65.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31DE443D3F for ; Thu, 15 Jan 2004 22:09:21 -0800 (PST) (envelope-from adrian+freebsd-security@ubergeeks.com) Received: from mail.ubergeeks.com (localhost [127.0.0.1]) by mail.ubergeeks.com (8.12.9p2/8.12.9) with ESMTP id i0G69GqZ047693; Fri, 16 Jan 2004 01:09:17 -0500 (EST) (envelope-from adrian+freebsd-security@ubergeeks.com) Received: from localhost (adrian@localhost)i0G69GRH047690; Fri, 16 Jan 2004 01:09:16 -0500 (EST) (envelope-from adrian+freebsd-security@ubergeeks.com) X-Authentication-Warning: lorax.ubergeeks.com: adrian owned process doing -bs Date: Fri, 16 Jan 2004 01:09:16 -0500 (EST) From: Adrian Filipi Sender: adrian@ubergeeks.com To: D J Hawkey Jr In-Reply-To: <20040114182154.GA22444@sheol.localdomain> Message-ID: <20040116010631.G32954@lorax.ubergeeks.com> References: <20040114134215.GA21307@sheol.localdomain> <20040114182154.GA22444@sheol.localdomain> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be clean cc: security at FreeBSD cc: Jesper Louis Andersen Subject: Re: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jan 2004 06:09:23 -0000 On Wed, 14 Jan 2004, D J Hawkey Jr wrote: > On Jan 14, at 07:09 PM, Jesper Louis Andersen wrote: > > > > > This might seem really naive, but can mtree be used effectively as > > > a native-to-core-OS tripwire equivalent? Would it be as efficient in > > > terms of time-to-run and resource requirements? > > > > Pro: distributed with base > > Con: Only available for *BSD architectures as far as my knowledge goes. > > I'm aware of both, yes; hence my question. FreeBSD is all I'm dealing > with, where my question is concerned. > > Is your reply from personal experience, or is it the same "Hey, it > could..." as is my question? If the former, would you elaborate on the > implementation details? > > Thanks, > Dave The company I just left makes a security appliance, and we developed an mtree-based IDS. As others have mentioned, raw mtree and diff as-is leaves a lot to be desired. It's just not very conveneint. That being said, its works great now that we wrapped it all up in some wrapper scripts. Adrian -- [ adrian@ubergeeks.com ] From owner-freebsd-security@FreeBSD.ORG Fri Jan 16 07:29:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A53DC16A4CF for ; Fri, 16 Jan 2004 07:29:32 -0800 (PST) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8964043D54 for ; Fri, 16 Jan 2004 07:29:31 -0800 (PST) (envelope-from lowell@be-well.ilk.org) Received: from be-well.no-ip.com ([66.30.200.37]) by comcast.net (rwcrmhc12) with ESMTP id <20040116152931014004bpt7e>; Fri, 16 Jan 2004 15:29:31 +0000 Received: by be-well.no-ip.com (Postfix, from userid 1147) id 696F73A; Fri, 16 Jan 2004 10:29:27 -0500 (EST) Resent-To: freebsd-security@freebsd.org Resent-From: Lowell Gilbert Resent-Date: 16 Jan 2004 10:29:26 -0500 X-From-Line: nobody Thu Jan 15 08:38:55 2004 Sender: lowell@be-well.ilk.org To: Gregory Neil Shapiro References: <20040114134215.GA21307@sheol.localdomain> <20040114180931.GA17074@miracle.mongers.org> <20040114182154.GA22444@sheol.localdomain> <20040114182755.GX50342@horsey.gshapiro.net> From: Lowell Gilbert Date: 15 Jan 2004 08:38:55 -0500 In-Reply-To: <20040114182755.GX50342@horsey.gshapiro.net> Message-ID: <44oet5mivk.fsf@be-well.ilk.org> User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Lines: 34 Resent-Message-Id: <20040116152927.696F73A@be-well.no-ip.com> cc: security at FreeBSD Subject: Re: mtree vs tripwire X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jan 2004 15:29:32 -0000 Gregory Neil Shapiro writes: > > Is your reply from personal experience, or is it the same "Hey, it > > could..." as is my question? If the former, would you elaborate on the > > implementation details? > > I use: > > mtree -K sha1digest -c -X mtree.exclude -p / > mtree.out > > where mtree.exclude is: > > ./home > ./mnt > ./proc > ./tmp > ./var/account > ./var/backups > ./var/db > ./var/imap > ./var/lock > ./var/log > ./var/mail > ./var/run > ./var/spool > ./var/tmp > > Although I am sure there is a better way to do it with mtree, to > see if something has changed, I repeat the process and diff the > output. That would be mtree < mtree.out to have mtree do it itself. From owner-freebsd-security@FreeBSD.ORG Fri Jan 16 10:10:53 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55EC916A4CF; Fri, 16 Jan 2004 10:10:53 -0800 (PST) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 415A943D55; Fri, 16 Jan 2004 10:10:52 -0800 (PST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.10/8.12.10) with ESMTP id i0GIAmU7028014; Fri, 16 Jan 2004 13:10:48 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9p2/8.12.9) with ESMTP id i0GIAoXw028098; Fri, 16 Jan 2004 13:10:50 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <6.0.1.1.0.20040116122719.05c75910@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Fri, 16 Jan 2004 13:10:00 -0500 To: security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new Subject: HiFn / FAST_IPSEC question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jan 2004 18:10:53 -0000 Hi, Just got some of the new Soekris 1401 VPN cards based on the hifn 7955 chip. hifn0 mem 0xe8510000-0xe8517fff,0xe8518000-0xe8519fff,0xe851a000-0xe851afff irq 5 at device 0.0 on pci1 hifn0: Hifn 7955, rev 0, 32KB dram, 64 sessions vs hifn0 mem 0xeb902000-0xeb902fff,0xeb901000-0xeb901fff irq 10 at device 8.0 on pci0 hifn0: Hifn 7951, rev 0, 128KB sram, 193 sessions When it says "n sessions" how does that specifically impact IPSEC ? Does it really mean I can only have 64 SAs ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Fri Jan 16 10:50:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36C0E16A57E for ; Fri, 16 Jan 2004 10:50:04 -0800 (PST) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1BE3943D46 for ; Fri, 16 Jan 2004 10:50:01 -0800 (PST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.10/8.12.10) with ESMTP id i0GInvU7038075; Fri, 16 Jan 2004 13:49:57 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9p2/8.12.9) with ESMTP id i0GInxXw028248; Fri, 16 Jan 2004 13:49:59 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <6.0.1.1.0.20040116134753.03e16c08@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Fri, 16 Jan 2004 13:48:58 -0500 To: From: Mike Tancsa In-Reply-To: References: <6.0.1.1.0.20040116122719.05c75910@209.112.4.2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new cc: security@freebsd.org Subject: RE: HiFn / FAST_IPSEC question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jan 2004 18:50:04 -0000 I am more curious about what happens if you try 194 sessions on one or 65 on the other, not why one is rated lower than the other. ---Mike At 01:40 PM 16/01/2004, Miguel Hernandez y Lopez wrote: >maybe is because the card only hace 32KB dram, and the second have 128KB >just wondering... :) >kind regards > >------------------------------------------------------------------------- > >Miguel Jose Hernandez y Lopez Tel +52 834 3188150 >Gobierno del Estado de Tamaulipas mhdz@tamaulipas.gob.mx >Telecomunicaciones @ Depto. de Seguridad http://www.tamaulipas.gob.mx > > >-----Mensaje original----- >De: owner-freebsd-security@freebsd.org >[mailto:owner-freebsd-security@freebsd.org]En nombre de Mike Tancsa >Enviado el: Viernes, 16 de Enero de 2004 12:10 p.m. >Para: security@freebsd.org >Asunto: HiFn / FAST_IPSEC question > > >Hi, > Just got some of the new Soekris 1401 VPN cards based on the hifn > 7955 >chip. > >hifn0 mem 0xe8510000-0xe8517fff,0xe8518000-0xe8519fff,0xe851a000-0xe851afff >irq 5 at device 0.0 on pci1 >hifn0: Hifn 7955, rev 0, 32KB dram, 64 sessions > >vs > >hifn0 mem 0xeb902000-0xeb902fff,0xeb901000-0xeb901fff irq 10 at device 8.0 >on pci0 >hifn0: Hifn 7951, rev 0, 128KB sram, 193 sessions > > >When it says "n sessions" how does that specifically impact IPSEC ? Does it >really mean I can only have 64 SAs ? > > ---Mike >-------------------------------------------------------------------- >Mike Tancsa, tel +1 519 651 3400 >Sentex Communications, mike@sentex.net >Providing Internet since 1994 www.sentex.net >Cambridge, Ontario Canada www.sentex.net/mike > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"