From owner-freebsd-security@FreeBSD.ORG Sun Feb 22 16:02:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49D5516A4CE for ; Sun, 22 Feb 2004 16:02:04 -0800 (PST) Received: from tequila.4you.lt (tequila.4you.lt [212.122.68.216]) by mx1.FreeBSD.org (Postfix) with SMTP id 23BBD43D1F for ; Sun, 22 Feb 2004 16:02:03 -0800 (PST) (envelope-from hugle@vkt.lt) Received: (qmail 14206 invoked by uid 0); 23 Feb 2004 00:00:01 -0000 Received: from hugle@vkt.lt by tequila by uid 82 with qmail-scanner-1.20rc1 (. Clear:RC:1:. Processed in 0.013257 secs); 23 Feb 2004 00:00:01 -0000 Received: from unknown (HELO localhost) (213.252.192.162) by tequila.4you.lt with SMTP; 23 Feb 2004 00:00:01 -0000 Date: Mon, 23 Feb 2004 02:00:57 +0200 From: hugle X-Mailer: The Bat! (v2.01) X-Priority: 3 (Normal) Message-ID: <175188614923.20040223020057@vkt.lt> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: own arp reply? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hugle List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2004 00:02:04 -0000 Hello all. I wonder if there is a way, to do smth like that: fot requests like: arp who-has 192.168.1.13 tell 192.168.4.31 arp who-has 192.168.1.122 tell 192.168.1.31 always answer 192.168.x,x ? i mean I'd have one machine which would have all the MAC's <> IS's like ( arp -s IP M:A:C ) And i'd like to give that 'data' to users, which wouldn't be fake (spoofed). or maybe who has 192.168.0.x tell router1 who has 192.168.2.x tell router2 and so on.. P.S. If i can do smth like that then: 1) Is it possible to do on bridge? 2) Is it possible to make on simple router -- Best regards,Hugle From owner-freebsd-security@FreeBSD.ORG Fri Feb 20 04:48:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19EF216A4CE; Fri, 20 Feb 2004 04:48:20 -0800 (PST) Received: from proton.hexanet.fr (proton.hexanet.fr [81.23.32.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFE7743D1F; Fri, 20 Feb 2004 04:48:19 -0800 (PST) (envelope-from c.prevotaux@hexanet.fr) Received: from hexanet.fr (localhost [127.0.0.1]) by proton.hexanet.fr (Postfix) with SMTP id 5197A4C97A; Fri, 20 Feb 2004 13:48:18 +0100 (CET) Date: Fri, 20 Feb 2004 13:48:18 +0100 From: Christophe Prevotaux To: Bruce M Simpson Message-Id: <20040220134818.4f5c99a9.c.prevotaux@hexanet.fr> In-Reply-To: <20040219211411.GB3612@saboteur.dek.spc.org> References: <20040219210216.22863.qmail@web12608.mail.yahoo.com> <20040219211411.GB3612@saboteur.dek.spc.org> Organization: HEXANET Sarl X-Mailer: Sylpheed version 0.9.6 (GTK+ 1.2.10; i386-portbld-freebsd4.9) X-NCC-RegID: fr.hexanet Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Mon, 23 Feb 2004 02:00:27 -0800 cc: freebsd-net@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2004 12:48:20 -0000 What about making protocol syntax and grammar dictionnary based filtering ?=20 In the way you could recognize any protocol on any port=20 and filter by many keys looking into protocol up to the highest levels. Of course this requires analysis of many protocols and writing of many dictionaries. But at least one company made this : http://www.qosmos.fr On Thu, 19 Feb 2004 21:14:11 +0000 Bruce M Simpson wrote: > On Thu, Feb 19, 2004 at 01:02:16PM -0800, Dorin H wrote: > > Is there some way to configure ipfw to do traffic > > normalizing ("scrubbing", as in ipf for OpenBSD)? Is > > there any tool to do it for FreeBSD firewalling?=20 > > I've heard that ipf was ported on current, anything > > else? >=20 > We're looking at bringing pf into the tree. One of the things on my > unofficial(some would say a work of pure fiction) is to look at > something for KaZaA filtering on BSD... >=20 > If you're talking about traffic shaping, have a look at dummynet which > is already there. >=20 > BMS > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >=20 -- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Christophe Prevotaux Email: c.prevotaux@hexanet.fr HEXANET SARL URL: http://www.hexanet.fr/ Z.A.C Les Charmilles Tel: +33 (0)3 26 79 30 05=20 3 All=E9e Thierry Sabine Direct: +33 (0)3 26 61 77 72=20 BP202 Fax: +33 (0)3 26 79 30 06 51686 Reims Cedex 2 =20 FRANCE HEXANET Network Operation Center =20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D From owner-freebsd-security@FreeBSD.ORG Tue Feb 24 03:33:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F7BE16A4CE for ; Tue, 24 Feb 2004 03:33:15 -0800 (PST) Received: from mail.gmx.net (pop.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 1AA7143D1D for ; Tue, 24 Feb 2004 03:33:14 -0800 (PST) (envelope-from pons@gmx.li) Received: (qmail 4626 invoked by uid 65534); 24 Feb 2004 11:33:11 -0000 Received: from unknown (HELO pons) (194.165.152.7) by mail.gmx.net (mp007) with SMTP; 24 Feb 2004 12:33:11 +0100 X-Authenticated: #2607275 Message-ID: <002701c3faca$02f64e60$0503050a@sdc.com.jo> From: "Pons" To: References: <200402200931.i1K9V9HV010992@caligula.anu.edu.au> Date: Tue, 24 Feb 2004 13:33:21 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: improve ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2004 11:33:15 -0000 I have configured a FreeBSD 5.1 rel box 2 NIC's (Ext.ip/Int.ip) with ipfw/natd/squid the setup is working /etc/rc.conf --------------------//----------------------- gateway_enable="YES" inetd_enable="YES" linux_enable="YES" moused_enable="YES" usbd_enable="YES" natd_enable="YES" natd_interface="rl1" natd_flags="-s -u -m" firewall_enable="YES" firewall_logging_enable="YES" firewall_quiet="NO" #firewall_type="open" firewall_script="/etc/rc.ipfw" #firewall_type="/etc/ipfw.rules" snmpd_enable="YES" tcp_extensions="NO" tcp_drop_synfin="YES" tcp_keepalive="YES" icmp_drop_redirect="YES" icmp_log_redirect="YES" sshd_enable="YES" update_motd="NO" My Kernel conf ---------------------------------//------------------- options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPDIVERT #divert sockets options IPFIREWALL_VERBOSE_LIMIT=100 #options IPFIREWALL_DEFAULT_TO_ACCEPT options RANDOM_IP_ID options DUMMYNET options IPFIREWALL_FORWARD options TCP_DROP_SYNFIN options IPSTEALTH #options "ICMP_BANDLIM" My Rule Set /etc/rc.ipfw --------------------//---------------------- # This file is a modified version of /etc/rc.firewall. # # Maintained by: D. O'Connor # Modified: 7/18/2000. # # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi if [ -n "${1}" ]; then firewall_type="${1}" fi # Firewall program fwcmd="/sbin/ipfw" # Outside interface network and netmask and ip oif="rl1" onet="f.g.h.0" omask="255.255.255.240" oip="f.g.h.k" # Inside interface network and netmask and ip iif="rl0" inet="a.b.0.0" imask="255.255.0.0" iip="1.2.3.4" # My ISP's DNS servers dns1="X.Y.W.Z" dns2="A.B.C.D" # Flush previous rules ${fwcmd} -f flush # Allow loopbacks, deny imposters ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # If you're using 'options BRIDGE', uncomment the following line to pass ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. ${fwcmd} add divert natd all from any to any via ${natd_interface} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} #Freebsd Install anleitungen http://freebsd.mountpoint.net ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} # Allow established connections with minimal overhead ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag ### TCP RULES # HTTP - Allow access to our web server ${fwcmd} add pass tcp from any to any 80 setup #${fwcmd} add deny tcp from any to any 80 setup #${fwcmd} add pass tcp from any to any 80 setup # HTTP - Deny access to our web server #${fwcmd} add deny tcp from any to any 80 setup # SMTP - Allow access to sendmail for incoming e-mail ${fwcmd} add pass tcp from any to any 25 setup # FTP - Allow incoming data channel for outgoing connections, # reject & log all incoming control connections ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup ${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup # SSH Login - Allow & Log all incoming ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup # IDENT - Reset incoming connections ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup ### UDP RULES # DNS - Allow queries out in the world ${fwcmd} add pass udp from any to ${dns1} 53 ${fwcmd} add pass udp from any to ${dns2} 53 ${fwcmd} add pass udp from ${dns1} 53 to any ${fwcmd} add pass udp from ${dns2} 53 to any # SMB - Allow local traffic ${fwcmd} add pass udp from any to any 137-139 via ${iif} # SYSLOG - Allow machines on inside net to log to us. ${fwcmd} add pass log udp from any to any 514 via ${iif} # NTP - Allow queries out in the world ${fwcmd} add pass udp from any 123 to any 123 via ${oif} ${fwcmd} add pass udp from any 123 to any via ${iif} ${fwcmd} add pass udp from any to any 123 via ${iif} # TRACEROUTE - Allow outgoing ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} ### ICMP RULES # ICMP packets # Allow all ICMP packets on internal interface ${fwcmd} add pass icmp from any to any via ${iif} # Allow outgoing pings ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow Destination Unreachable, Source Quench, Time # Exceeded, and Bad Header ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny the rest of them ${fwcmd} add deny icmp from any to any ### MISCELLANEOUS REJECT RULES # Reject broadcasts from outside interface ${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif} # Reject&Log SMB connections on outside interface ${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} # Reject&Log all other connections from outside interface ${fwcmd} add 65000 deny log ip from any to any via ${oif} # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ------------//--------------- /etc/sysctl.conf # Uncomment this to prevent users from seeing information about processes that # are being run under another UID. #security.bsd.see_other_uids=0 net.inet.ip.forwarding=1 1.I want implement more security in my rules. I want to improve my Security rule sets in rc.ipfw If any one have any comments about it 2. I am running proxy server squid on the same box which is running IPFW... I want my client access the HTTP only through the proxy and and deny access for people who is not using the proxy setting proxy_ip_X.X.X.X:3128 in the IExplorer in my firewall i am allowing the following # HTTP - Allow access to our web server ${fwcmd} add pass tcp from any to any 80 setup How Can I implement this? 3. I'm intrested in blocking kazaa/P2P trafic with IPFW any help in this issue 4. what should i include in /etc/sysctl.conf against DoS attack , spoof ..etc 5. I want to allow only one specific IP (5.6.7.8) to manage the box by accessing it via ssh only Thanks From owner-freebsd-security@FreeBSD.ORG Tue Feb 24 07:09:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DD3016A4CE for ; Tue, 24 Feb 2004 07:09:27 -0800 (PST) Received: from mail.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9003843D1D for ; Tue, 24 Feb 2004 07:09:26 -0800 (PST) (envelope-from rkim@sandvine.com) Received: by mail.sandvine.com with Internet Mail Service (5.5.2657.72) id <15P45QTN>; Tue, 24 Feb 2004 10:09:25 -0500 Message-ID: From: Richy Kim To: 'Pons' , freebsd-security@freebsd.org Date: Tue, 24 Feb 2004 10:09:24 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" Subject: RE: improve ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2004 15:09:27 -0000 >> 3. I'm intrested in blocking kazaa/P2P trafic with IPFW any help in this issue you could possibly block connections at known p2p ports. deny tcp from any to any 6699 step but most of the newer protocols use dynamic ports and in turn, are configurable. so ipfw isn't exactly ideal on it's own for this. -r. -----Original Message----- From: Pons [mailto:pons@gmx.li] Sent: Tuesday, February 24, 2004 6:33 AM To: freebsd-security@freebsd.org Subject: improve ipfw rules I have configured a FreeBSD 5.1 rel box 2 NIC's (Ext.ip/Int.ip) with ipfw/natd/squid the setup is working From owner-freebsd-security@FreeBSD.ORG Tue Feb 24 09:18:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEF2916A4CE for ; Tue, 24 Feb 2004 09:18:49 -0800 (PST) Received: from mtaw6.prodigy.net (mtaw6.prodigy.net [64.164.98.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9ECEE43D1D for ; Tue, 24 Feb 2004 09:18:47 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (d4301d347508007055bae1c503e79d28@adsl-67-119-53-203.dsl.lsan03.pacbell.net [67.119.53.203]) by mtaw6.prodigy.net (8.12.10/8.12.10) with ESMTP id i1OHHnDO011125; Tue, 24 Feb 2004 09:17:50 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 387AD66CAF; Tue, 24 Feb 2004 09:18:27 -0800 (PST) Date: Tue, 24 Feb 2004 09:18:27 -0800 From: Kris Kennaway To: Pons Message-ID: <20040224171827.GA48452@xor.obsecurity.org> References: <200402200931.i1K9V9HV010992@caligula.anu.edu.au> <002701c3faca$02f64e60$0503050a@sdc.com.jo> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline In-Reply-To: <002701c3faca$02f64e60$0503050a@sdc.com.jo> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: improve ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2004 17:18:49 -0000 --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Feb 24, 2004 at 01:33:21PM +0200, Pons wrote: > I have configured a FreeBSD 5.1 rel box 2 NIC's (Ext.ip/Int.ip) > with ipfw/natd/squid the setup is working Support questions should be asked on the questions@ mailing list instead. Kris --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAO4diWry0BWjoQKURAj/nAKD8WN6/buSg5k9PPX1V5aAeACinqACg6V0N yDsPVlpEZOBfF2dWwfkUyJ0= =PKc6 -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo-- From owner-freebsd-security@FreeBSD.ORG Tue Feb 24 08:07:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B867716A4CF for ; Tue, 24 Feb 2004 08:07:50 -0800 (PST) Received: from sushi.rural-networks.com (sushi.rural-networks.com [62.128.181.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A8E843D1D for ; Tue, 24 Feb 2004 08:07:47 -0800 (PST) (envelope-from c.prevotaux@hexanet.fr) Received: from hexanet.fr (localhost.rural-networks.com [127.0.0.1]) i1OG7Zew066658; Tue, 24 Feb 2004 17:07:36 +0100 (CET) (envelope-from c.prevotaux@hexanet.fr) Date: Tue, 24 Feb 2004 17:07:35 +0100 From: Christophe Prevotaux To: Richy Kim Message-Id: <20040224170735.305df436.c.prevotaux@hexanet.fr> In-Reply-To: References: Organization: HEXANET Sarl X-Mailer: Sylpheed version 0.9.4 (GTK+ 1.2.10; i386-portbld-freebsd4.8) X-NCC-RegID: fr.hexanet Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 25 Feb 2004 02:12:20 -0800 cc: freebsd-security@freebsd.org cc: pons@gmx.li Subject: Re: improve ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2004 16:07:51 -0000 AFAIK, It is impossible to truely block P2P traffic with any standard firewalling system. It is the holy grail of ISPs these days. I know of only one system that can do this effectively and it is commercial http://www.qosmos.fr , as I have already stated in other FreeBSD mailing list. The way they do it , is by implementing a protocol analyser (on the fly analysis) that has protocol dictionaries and syntax , which can go up in the layers and block on the fly any traffic that it has been specified to block. It is my hope that someday someone will step in and implement a similar system under FreeBSD. But i think it requires quite a lot of work and possibly major rebuilding of ipfw if it needs to be integrated (which would be great) On Tue, 24 Feb 2004 10:09:24 -0500 Richy Kim wrote: > >> 3. I'm intrested in blocking kazaa/P2P trafic with IPFW any help in this > issue > you could possibly block connections at known p2p ports. > deny tcp from any to any 6699 step > but most of the newer protocols use dynamic ports and in turn, are > configurable. > so ipfw isn't exactly ideal on it's own for this. > > -r. > -- =============================================================== Christophe Prevotaux =============================================================== From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 02:22:17 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E77416A4CF for ; Wed, 25 Feb 2004 02:22:17 -0800 (PST) Received: from orhi.sarenet.es (orhi.sarenet.es [192.148.167.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF66E43D1F for ; Wed, 25 Feb 2004 02:22:16 -0800 (PST) (envelope-from borjamar@sarenet.es) Received: from [172.16.1.9] (izaro.sarenet.es [192.148.167.11]) by orhi.sarenet.es (Postfix) with ESMTP id 283707A354C for ; Wed, 25 Feb 2004 11:22:15 +0100 (MET) Mime-Version: 1.0 (Apple Message framework v612) In-Reply-To: <20040224170735.305df436.c.prevotaux@hexanet.fr> References: <20040224170735.305df436.c.prevotaux@hexanet.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Message-Id: <7BB83E65-677C-11D8-ABA5-000393C94468@sarenet.es> Content-Transfer-Encoding: quoted-printable From: Borja Marcos Date: Wed, 25 Feb 2004 11:22:15 +0100 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.612) Subject: Re: improve ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2004 10:22:17 -0000 > It is my hope that someday someone will step in and implement a = similar > system under FreeBSD. But i think it requires quite a lot of work and=20= > possibly > major rebuilding of ipfw if it needs to be integrated (which would be=20= > great) =BFPerhaps Snort with Flexresp? It should be able to close a = connection=20 upon detection of a signature. Borja. From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 04:11:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89A7616A4CE for ; Wed, 25 Feb 2004 04:11:14 -0800 (PST) Received: from mail.yazzy.org (elskov.com [217.8.140.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 144A943D1F for ; Wed, 25 Feb 2004 04:11:14 -0800 (PST) (envelope-from freebsd@yazzy.org) Received: from localhost (localhost [127.0.0.1]) by mail.yazzy.org (Postfix) with ESMTP id 791A539D36 for ; Wed, 25 Feb 2004 13:11:09 +0100 (CET) Received: from mail.yazzy.org ([127.0.0.1]) by localhost (urukhai.yazzy.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 92444-06 for ; Wed, 25 Feb 2004 13:11:09 +0100 (CET) Received: from localhost (gw.wrs.no [213.158.226.1]) by mail.yazzy.org (Postfix) with SMTP id BE28A39D25 for ; Wed, 25 Feb 2004 13:11:06 +0100 (CET) Date: Wed, 25 Feb 2004 13:11:33 +0100 From: Martin Jessa To: freebsd-security@freebsd.org Message-Id: <20040225131133.1b989778.freebsd@yazzy.org> In-Reply-To: References: Organization: WRS ASA X-Mailer: Sylpheed version 0.9.4 (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at yazzy.org Subject: Re: improve ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2004 12:11:14 -0000 Hi. Take a look at: http://jk.yazzy.org/articles/openbsd/kazaa.html Jochem describes there how to block Kazaa with snort on OpenBSD. Hope this helps. On Tue, 24 Feb 2004 10:09:24 -0500 Richy Kim wrote: > >> 3. I'm intrested in blocking kazaa/P2P trafic with IPFW any help in this > issue > you could possibly block connections at known p2p ports. > deny tcp from any to any 6699 step > but most of the newer protocols use dynamic ports and in turn, are > configurable. > so ipfw isn't exactly ideal on it's own for this. > > -r. > > > -----Original Message----- > From: Pons [mailto:pons@gmx.li] > Sent: Tuesday, February 24, 2004 6:33 AM > To: freebsd-security@freebsd.org > Subject: improve ipfw rules > > > I have configured a FreeBSD 5.1 rel box 2 NIC's (Ext.ip/Int.ip) > with ipfw/natd/squid the setup is working > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 09:29:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 318CD16A4CE for ; Wed, 25 Feb 2004 09:29:09 -0800 (PST) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id ACAFD43D1F for ; Wed, 25 Feb 2004 09:29:08 -0800 (PST) (envelope-from mdg@secureworks.net) Received: (qmail 45525 invoked from network); 25 Feb 2004 17:26:06 -0000 Received: from unknown (HELO HOST-192-168-8-243.internal.secureworks.net) (63.239.86.253) by mail.secureworks.net with SMTP; 25 Feb 2004 17:26:06 -0000 Date: Wed, 25 Feb 2004 12:29:07 -0500 (EST) From: Matthew George X-X-Sender: mdg@localhost To: Borja Marcos In-Reply-To: <7BB83E65-677C-11D8-ABA5-000393C94468@sarenet.es> Message-ID: <20040225122505.M28880@localhost> References: <7BB83E65-677C-11D8-ABA5-000393C94468@sarenet.es> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE cc: freebsd-security@freebsd.org Subject: Re: improve ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2004 17:29:09 -0000 On Wed, 25 Feb 2004, Borja Marcos wrote: > > It is my hope that someday someone will step in and implement a similar > > system under FreeBSD. But i think it requires quite a lot of work and > > possibly > > major rebuilding of ipfw if it needs to be integrated (which would be > > great) > > =09=BFPerhaps Snort with Flexresp? It should be able to close a connectio= n > upon detection of a signature. > The difference is that snort is still packet based. You'd need to have the concept of data stream analysis in order to really implement an effective application layer protocol analysis engine. --=20 Matthew George SecureWorks Technical Operations 404.327.6339 From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:02:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61CDA16A4CE for ; Wed, 25 Feb 2004 20:02:10 -0800 (PST) Received: from web12609.mail.yahoo.com (web12609.mail.yahoo.com [216.136.173.179]) by mx1.FreeBSD.org (Postfix) with SMTP id 43B2B43D2D for ; Wed, 25 Feb 2004 20:02:10 -0800 (PST) (envelope-from bj93542@yahoo.com) Message-ID: <20040226040210.25663.qmail@web12609.mail.yahoo.com> Received: from [24.24.80.58] by web12609.mail.yahoo.com via HTTP; Wed, 25 Feb 2004 20:02:10 PST Date: Wed, 25 Feb 2004 20:02:10 -0800 (PST) From: Dorin H To: Matthew George In-Reply-To: <20040225122505.M28880@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: improve ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 04:02:10 -0000 --- Matthew George wrote: > On Wed, 25 Feb 2004, Borja Marcos wrote: > > > > It is my hope that someday someone will step in > and implement a similar > > > system under FreeBSD. > > The difference is that snort is still packet based. > You'd need to have > the concept of data stream analysis in order to > really implement an > effective application layer protocol analysis > engine. > Snort http plugin does "application-level" stream analysis, AFAIK. Why you could not design a similar plugin, or just some well written rules ? (just 2c)Use snortsam to alert the firewall (FBSD ipf for example) to block the traffic, and keep the fw free of stateful traffic analysis as much as possible. For the sake of performance. BTW, does anyone know if snortsam work with ipfw? /Dorin. __________________________________ Do you Yahoo!? Get better spam protection with Yahoo! Mail. http://antispam.yahoo.com/tools From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:04:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61D0116A4CF for ; Wed, 25 Feb 2004 20:04:21 -0800 (PST) Received: from tx0.oucs.ox.ac.uk (tx0.oucs.ox.ac.uk [129.67.1.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id C208343D1F for ; Wed, 25 Feb 2004 20:04:20 -0800 (PST) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan0.oucs.ox.ac.uk ([129.67.1.162] helo=localhost) by tx0.oucs.ox.ac.uk with esmtp (Exim 4.24) id 1AwCl2-0007Cj-Di for freebsd-security@freebsd.org; Thu, 26 Feb 2004 04:04:20 +0000 Received: from rx0.oucs.ox.ac.uk ([129.67.1.161]) by localhost (scan0.oucs.ox.ac.uk [129.67.1.162]) (amavisd-new, port 25) with ESMTP id 27511-04 for ; Thu, 26 Feb 2004 04:04:20 +0000 (GMT) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx0.oucs.ox.ac.uk with smtp (Exim 4.24) id 1AwCl2-0007Cg-0M for freebsd-security@freebsd.org; Thu, 26 Feb 2004 04:04:20 +0000 Received: (qmail 24736 invoked by uid 0); 26 Feb 2004 04:04:20 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.16 (sweep: 2.14/3.71. spamassassin: 2.53. Clear:. Processed in 3.306201 secs); 26 Feb 2004 04:04:20 -0000 X-Qmail-Scanner-Mail-From: colin.percival@wadham.ox.ac.uk via gateway X-Qmail-Scanner: 1.16 (Clear:. Processed in 3.306201 secs) Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 26 Feb 2004 04:04:16 -0000 Message-Id: <6.0.1.1.1.20040225172320.03ed0c20@imap.sfu.ca> X-Sender: cperciva@imap.sfu.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Thu, 26 Feb 2004 04:04:14 +0000 To: freebsd-current@freebsd.org, freebsd-security@freebsd.org From: Colin Percival Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: FreeBSD 5.2 -> 5.2.1 upgrade X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 04:04:21 -0000 In order to provide an easy update path for i386 systems from FreeBSD 5.2 to FreeBSD 5.2.1, FreeBSD Update will now update systems running FreeBSD 5.2-RELEASE to 5.2.1-RELEASE. To take advantage of these updates, install and run FreeBSD Update, and reboot into the new kernel: # cd /usr/ports/security/freebsd-update && make install clean # cp /usr/local/etc/freebsd-update.conf.sample /usr/local/etc/freebsd-update.conf # /usr/local/sbin/freebsd-update fetch # /usr/local/sbin/freebsd-update install # shutdown -r now If you have recompiled any files locally, FreeBSD Update may not be able to update them automatically (it will complain). With the latest version of FreeBSD Update (version 1.5), you can use one of the following commands: # /usr/local/sbin/freebsd-update --branch crypto fetch or # /usr/local/sbin/freebsd-update --branch nocrypto fetch depending upon whether you installed the "crypto" distribution, to force files to be updated. (If you're not sure if you installed the "crypto" distribution, you almost certainly did). FreeBSD Update will update a 5.2-RELEASE system to the exact binaries distributed with 5.2.1-RELEASE, with the following exceptions: 1. Files under the following directories will not be updated: /usr/ports /usr/share/doc /usr/share/man/cat* /usr/src The ports and src trees can be updated using cvsup; the files in /usr/share/man/cat* are rebuilt from (updated) man pages automatically. 2. FreeBSD binaries include, in their headers, the value of __FreeBSD_version on the machine where they were compiled. This value was bumped from 502000 to 502010 as part of the release engineering process; binaries for which this is the ONLY change will not be updated. As always, this is something I'm providing personally; it is in no way endorsed by the Security Officer, Release Engineering team, or the project as a whole. Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 20:22:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C78716A4CE for ; Wed, 25 Feb 2004 20:22:15 -0800 (PST) Received: from web60407.mail.yahoo.com (web60407.mail.yahoo.com [216.109.118.190]) by mx1.FreeBSD.org (Postfix) with SMTP id 9D54243D1D for ; Wed, 25 Feb 2004 20:22:14 -0800 (PST) (envelope-from twigles@yahoo.com) Message-ID: <20040226042214.69853.qmail@web60407.mail.yahoo.com> Received: from [68.5.51.136] by web60407.mail.yahoo.com via HTTP; Wed, 25 Feb 2004 20:22:14 PST Date: Wed, 25 Feb 2004 20:22:14 -0800 (PST) From: twig les To: Dorin H , Matthew George In-Reply-To: <20040226040210.25663.qmail@web12609.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: improve ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 04:22:15 -0000 > BTW, does anyone know if snortsam work with ipfw? > /Dorin. > It's in the experimental stage but the noise sounds promising. I can't seem to find the email thread that discusses it though...grrr. ===== ----------------------------------------------------------- With a few exceptions, secrecy is deeply incompatible with democracy and with science. --Carl Sagan ----------------------------------------------------------- __________________________________ Do you Yahoo!? Get better spam protection with Yahoo! Mail. http://antispam.yahoo.com/tools From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 10:54:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D0F116A4CE; Wed, 25 Feb 2004 10:54:32 -0800 (PST) Received: from kientzle.com (h-66-166-149-50.SNVACAID.covad.net [66.166.149.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id E106443D1F; Wed, 25 Feb 2004 10:54:31 -0800 (PST) (envelope-from tim@kientzle.com) Received: from kientzle.com (54.kientzle.com [66.166.149.54] (may be forged)) by kientzle.com (8.12.9/8.12.9) with ESMTP id i1PIsV7g008367; Wed, 25 Feb 2004 10:54:31 -0800 (PST) (envelope-from tim@kientzle.com) Message-ID: <403CEF67.5040004@kientzle.com> Date: Wed, 25 Feb 2004 10:54:31 -0800 From: Tim Kientzle User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20031006 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org, das@freebsd.org Content-Type: multipart/mixed; boundary="------------000701060105000106090207" X-Mailman-Approved-At: Thu, 26 Feb 2004 01:56:58 -0800 Subject: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: kientzle@acm.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2004 18:54:32 -0000 This is a multi-part message in MIME format. --------------000701060105000106090207 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit There's been an ongoing discussion (started by Colin Percival's recent work on nologin) about environment-poisoning attacks via "login -p". I thought I saw a way to address this, but the more I learn, the uglier this looks. Maybe some of the good folks who read freebsd-security can puzzle this one out: Problem: login -p can be used to propagate environment flags in order to trojan the user shell of the target account. There are several significant cases: * Dynamically-linked target shell. * Target account shell is a shell script. Both of these are quite common in practice. (However, I will note that in -CURRENT, both "nologin" and /bin/sh are statically-linked and thus currently immune to this.) The particular thread that started me looking at this concerned "nologin" scripts or programs that attempt to block access to certain accounts. David Schultz has demonstrated that login -p can be used to circumvent a dynamically-linked nologin program, for example. If your friend's account hasn't been blocked, you may be able use that to circumvent any blocks placed on your own account. Possible fix: Ignore "-p" flag if target shell is not in /etc/shells. In this scenario, a nologin program would not be listed in /etc/shells, and thus such attacks would be blocked. Problem: One common use of nologin scripts is to create ftp-only accounts. However, ftpd(8) limits ftp access to accounts with "standard" shells. As a result, ftp-only accounts must have their shell listed in /etc/shells. Possible fix: Have login unconditionally discard LD_LIBRARY_PATH and LD_PRELOAD from the environment, even if "-p" is specified. I'm unsure that this is sufficient. I'm also unsure whether this blocks legitimate use of "login -p." I am generally distrustful of blacklist security approaches; I'd prefer a whitelist approach that only passed through selected environment variables. Possible fix: Eliminate the "-p" option to login. This would certainly close the hole, but could introduce complications elsewhere. (I've looked at telnetd, which uses this flag. However, it appears to use it only to propagate the TERM flag, which our login program does even without -p.) Part of the issue here is an underlying disagreement about the meaning of "standard shell." Skimming the -CURRENT source tree reveals several different definitions of "standard shell": * A group of "equivalent" shells from which users can choose. (from chpass(1)) * An indicator that the user is allowed ftp access (from ftpd(8)) * An indicator that su is permitted * An indicator that mail include files should be honored (in sendmail; based on a very quick skimming of the source) These are not entirely consistent interpretations, resulting in security problems with "ftp-only" access, for example. I've attached a patch to "login" that implements the two "Possible Fixes" above. I'm not entirely happy with it, though, for the reasons I've indicated. Suggestions? Tim Kientzle --------------000701060105000106090207 Content-Type: text/plain; name="kientzle-login.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="kientzle-login.diff" Index: login.c =================================================================== RCS file: /home/ncvs/src/usr.bin/login/login.c,v retrieving revision 1.98 diff -r1.98 login.c 86a87 > static int chshell(const char *); 468c469,472 < * preservation - but preserve TERM in all cases --- > * preservation or the user has a non-standard shell. In > * particular, this "non-standard shell" check blocks certain > * environment-poisoning exploits against nologin scripts. > * Preserve TERM in all cases. 471c475 < if (!pflag) --- > if (!pflag || !chshell(shell)) 476a481,491 > * The chshell() check above isn't sufficient, though. > * For example, consider a custom nologin script used > * to limit accounts to ftp-only access. ftpd(8) requires > * the user shell to be in /etc/shells, thus crippling > * the above check. The following provides some modest > * additional security limits in such cases. > */ > unsetenv("LD_LIBRARY_PATH"); > unsetenv("LD_PRELOAD"); > > /* 935a951,968 > } > > /* > * Return TRUE if the shell is a "standard" shell. > * (That is, one listed in /etc/shells.) > */ > static int > chshell(const char *sh) > { > int r; > const char *cp; > > r = 0; > setusershell(); > while ((cp = getusershell()) != NULL && !r) > r = (strcmp(cp, sh) == 0); > endusershell(); > return (r); --------------000701060105000106090207-- From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 02:14:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A28E16A4CE; Thu, 26 Feb 2004 02:14:50 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE2F643D2F; Thu, 26 Feb 2004 02:14:49 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 902BE5309; Thu, 26 Feb 2004 11:14:48 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 7B5B95308; Thu, 26 Feb 2004 11:14:41 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 0510733C71; Thu, 26 Feb 2004 11:14:40 +0100 (CET) To: kientzle@acm.org References: <403CEF67.5040004@kientzle.com> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Thu, 26 Feb 2004 11:14:40 +0100 In-Reply-To: <403CEF67.5040004@kientzle.com> (Tim Kientzle's message of "Wed, 25 Feb 2004 10:54:31 -0800") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 cc: freebsd-security@freebsd.org cc: das@freebsd.org Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 10:14:50 -0000 Tim Kientzle writes: > There's been an ongoing discussion (started by > Colin Percival's recent work on nologin) about > environment-poisoning attacks via "login -p". > [...] You missed the obvious solution: remove login(1)'s setuid bit so it only works if you are already root. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 03:30:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FF1A16A4CE; Thu, 26 Feb 2004 03:30:13 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDFD243D1D; Thu, 26 Feb 2004 03:30:12 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 8E8FE5308; Thu, 26 Feb 2004 12:30:11 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 6AB03530C; Thu, 26 Feb 2004 12:30:03 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 4226D33C71; Thu, 26 Feb 2004 12:30:03 +0100 (CET) To: current@freebsd.org From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Thu, 26 Feb 2004 12:30:03 +0100 Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 cc: security@freebsd.org Subject: HEADS UP: OpenSSH 3.8p1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 11:30:13 -0000 Take the usual precautions when upgrading. Also note that I have changed some configuration defaults: the server no longer accepts protocol version 1 nor password authentication by default. If your ssh client does not support ssh protocol version 2 or keyboard-interactive authentication, the recommended measures are: 1) get a better client 2) get a better client (I mean it) 3) get a better client (for real this time!) and as a last resort 4) enable procol version 1 and password authentication in sshd_config DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 03:33:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EA3816A4CE; Thu, 26 Feb 2004 03:33:07 -0800 (PST) Received: from freebsd.org.ru (freebsd.org.ru [194.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id E437843D1F; Thu, 26 Feb 2004 03:33:06 -0800 (PST) (envelope-from osa@freebsd.org.ru) Received: by freebsd.org.ru (Postfix, from userid 1000) id 09B7E3CB; Thu, 26 Feb 2004 14:32:56 +0300 (MSK) Date: Thu, 26 Feb 2004 14:32:55 +0300 From: "Sergey A. Osokin" To: Dag-Erling Sm?rgrav Message-ID: <20040226113255.GF49750@freebsd.org.ru> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i cc: current@freebsd.org cc: security@freebsd.org Subject: Re: HEADS UP: OpenSSH 3.8p1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 11:33:07 -0000 On Thu, Feb 26, 2004 at 12:30:03PM +0100, Dag-Erling Sm?rgrav wrote: > Take the usual precautions when upgrading. > > Also note that I have changed some configuration defaults: the server > no longer accepts protocol version 1 nor password authentication by > default. If your ssh client does not support ssh protocol version 2 > or keyboard-interactive authentication, the recommended measures are: > > 1) get a better client > 2) get a better client (I mean it) > 3) get a better client (for real this time!) > > and as a last resort > > 4) enable procol version 1 and password authentication in sshd_config What do you think about add the note into UPDATING? Thanks. -- Regards, /"\ ascii ribbon campaign Sergey "ozz" Osokin, \ / against html mail http://ozz.pp.ru/ X and news / \ From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 06:43:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E6ED16A4CE for ; Thu, 26 Feb 2004 06:43:43 -0800 (PST) Received: from ciistr2.ist.utl.pt (ciistr2.ist.utl.pt [193.136.128.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id E358743D31 for ; Thu, 26 Feb 2004 06:43:42 -0800 (PST) (envelope-from bruno@mrna.ist.utl.pt) Received: from mail.ist.utl.pt (mail.ist.utl.pt [193.136.128.8]) by ciistr2.ist.utl.pt (Postfix) with ESMTP id 648984A737 for ; Thu, 26 Feb 2004 14:43:41 +0000 (WET) Received: from mrna.ist.utl.pt ([213.22.170.137]) (AUTH: LOGIN bruno.afonso, SSL: TLSv1/SSLv3,256bits,AES256-SHA) by mail.ist.utl.pt with esmtp; Thu, 26 Feb 2004 14:43:40 +0000 Message-ID: <403E061E.30307@mrna.ist.utl.pt> Date: Thu, 26 Feb 2004 14:43:42 +0000 From: Bruno Afonso User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200402192315.i1JNFxo4004083@caligula.anu.edu.au> In-Reply-To: <200402192315.i1JNFxo4004083@caligula.anu.edu.au> X-Enigmail-Version: 0.83.2.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: traffic normalizer for ipfw? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 14:43:43 -0000 Darren Reed wrote: > normalizing is over rated as a firewall feature - it's really > something that belongs in IDS software. > > >>We're looking at bringing pf into the tree. > > > For what benefit you have to wonder... It's BSD licensed. It's nicely integrated with altq that will also hopefully come into the tree. That alone is worth it, let alone other nice features. And yes, users like this features and that's something you are going to have to live with. Please stop this pf bashing you are fond of and stop thinking you know what others like/want in a firewall. Choice is a great thing, respect that. BA -- Bruno Miguel Afonso Biological Eng. student D.E.Q. @ I.S.T. - Portugal GnuPG Public key: http://dequim.ist.utl.pt/~bruno/gpg From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 07:30:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A411016A4CE; Thu, 26 Feb 2004 07:30:05 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B41243D1D; Thu, 26 Feb 2004 07:30:05 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id AF9BF548A2; Thu, 26 Feb 2004 09:30:04 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 407CD6D455; Thu, 26 Feb 2004 09:30:04 -0600 (CST) Date: Thu, 26 Feb 2004 09:30:04 -0600 From: "Jacques A. Vidrine" To: kientzle@acm.org Message-ID: <20040226153004.GB46714@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , kientzle@acm.org, freebsd-security@freebsd.org, das@freebsd.org References: <403CEF67.5040004@kientzle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <403CEF67.5040004@kientzle.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org cc: das@freebsd.org Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 15:30:05 -0000 On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote: [...] > Possible fix: Have login unconditionally discard LD_LIBRARY_PATH > and LD_PRELOAD from the environment, even if "-p" is specified. [...] > Possible fix: Eliminate the "-p" option to login. I would prefer to redefine `-p' to mean, ``don't discard environmental variables believed to be safe to propogate''. We can start with this list: http://www.opengroup.org/onlinepubs/007904975/basedefs/xbd_chap08.html plus EDITOR KRB5CCNAME LOGIN MAILDIR SSH_AGENT_PID SSH_AUTH_SOCK TERMCAP If that is too draconian for you, then I guess just drop /LD_.*/. Put the `environment cleaner' in libutil. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 07:38:17 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC69316A4CE for ; Thu, 26 Feb 2004 07:38:17 -0800 (PST) Received: from smtp3b.sentex.ca (smtp3b.sentex.ca [205.211.164.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85C8343D3F for ; Thu, 26 Feb 2004 07:38:17 -0800 (PST) (envelope-from mike@sentex.net) Received: from avscan1.sentex.ca (avscan1.sentex.ca [199.212.134.11]) by smtp3b.sentex.ca (8.12.10/8.12.10) with ESMTP id i1QFbk3Z034853; Thu, 26 Feb 2004 10:37:51 -0500 (EST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan1.sentex.ca (8.12.10/8.12.10) with ESMTP id i1QFc9xa029604; Thu, 26 Feb 2004 10:38:09 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net ([192.168.43.27]) by lava.sentex.ca (8.12.9p2/8.12.9) with ESMTP id i1QFc7Za011025; Thu, 26 Feb 2004 10:38:07 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040226103723.07f24f98@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Thu, 26 Feb 2004 10:38:11 -0500 To: des@des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= ) From: Mike Tancsa In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: by amavisd-new cc: security@freebsd.org Subject: Re: HEADS UP: OpenSSH 3.8p1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 15:38:17 -0000 Hi, Are there plans to MFC 3.8 as well as the new sshd_config defaults to=20 RELENG_4 ? ---Mike At 06:30 AM 26/02/2004, Dag-Erling Sm=F8rgrav wrote: >Take the usual precautions when upgrading. > >Also note that I have changed some configuration defaults: the server >no longer accepts protocol version 1 nor password authentication by >default. If your ssh client does not support ssh protocol version 2 >or keyboard-interactive authentication, the recommended measures are: > > 1) get a better client > 2) get a better client (I mean it) > 3) get a better client (for real this time!) > >and as a last resort > > 4) enable procol version 1 and password authentication in sshd_config > >DES >-- >Dag-Erling Sm=F8rgrav - des@des.no >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 07:54:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61B1416A4CE for ; Thu, 26 Feb 2004 07:54:00 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0311343D1F for ; Thu, 26 Feb 2004 07:54:00 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id A0F0C5309; Thu, 26 Feb 2004 16:53:58 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id C48215308; Thu, 26 Feb 2004 16:53:51 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 4D69E33C71; Thu, 26 Feb 2004 16:53:51 +0100 (CET) To: Mike Tancsa References: <6.0.3.0.0.20040226103723.07f24f98@209.112.4.2> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Thu, 26 Feb 2004 16:53:51 +0100 In-Reply-To: <6.0.3.0.0.20040226103723.07f24f98@209.112.4.2> (Mike Tancsa's message of "Thu, 26 Feb 2004 10:38:11 -0500") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 cc: security@freebsd.org Subject: Re: HEADS UP: OpenSSH 3.8p1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 15:54:00 -0000 Mike Tancsa writes: > Are there plans to MFC 3.8 as well as the new sshd_config defaults to > RELENG_4 ? No. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 08:35:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 442E516A4CE for ; Thu, 26 Feb 2004 08:35:39 -0800 (PST) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id AEFBD43D2D for ; Thu, 26 Feb 2004 08:35:38 -0800 (PST) (envelope-from mdg@secureworks.net) Received: (qmail 12876 invoked from network); 26 Feb 2004 16:32:36 -0000 Received: from unknown (HELO HOST-192-168-8-243.internal.secureworks.net) (63.239.86.253) by mail.secureworks.net with SMTP; 26 Feb 2004 16:32:36 -0000 Date: Thu, 26 Feb 2004 11:35:37 -0500 (EST) From: Matthew George X-X-Sender: mdg@localhost To: Dorin H In-Reply-To: <20040226040210.25663.qmail@web12609.mail.yahoo.com> Message-ID: <20040226112647.A28880@localhost> References: <20040226040210.25663.qmail@web12609.mail.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: improve ipfw rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 16:35:39 -0000 On Wed, 25 Feb 2004, Dorin H wrote: > > Snort http plugin does "application-level" stream > analysis, AFAIK. Why you could not design a similar > plugin, or just some well written rules ? (just 2c)Use > snortsam to alert the firewall (FBSD ipf for example) > to block the traffic, and keep the fw free of stateful > traffic analysis as much as possible. For the sake of > performance. > BTW, does anyone know if snortsam work with ipfw? > /Dorin. > there were patches released some time ago that abstracted packet acquisition so that you could put snort inline via divert (or netfilter in linux), so you could block the first packet and not have to inject firewall rules. as far as the application-level stream analysis, what I was referring to was something that would be smart enough to detect, for example, services running on non-standard ports based on the application protocol they are using, then filter based on the appropriate rules for that service. You can write snort rules for specific ports, but it would be better to have an HTTP set that gets applied once it has been identified that HTTP is the protocol in question. The same can then be used to do p2p or any other application filtering. -- Matthew George SecureWorks Technical Operations 404.327.6339 From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 14:53:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F130816A4CE; Thu, 26 Feb 2004 14:53:35 -0800 (PST) Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4742743D3F; Thu, 26 Feb 2004 14:53:35 -0800 (PST) (envelope-from ache@pobrecita.freebsd.ru) Received: from pobrecita.freebsd.ru (ache@localhost [127.0.0.1]) by nagual.pp.ru (8.12.11/8.12.11) with ESMTP id i1QMpnrG073739; Fri, 27 Feb 2004 01:51:49 +0300 (MSK) (envelope-from ache@pobrecita.freebsd.ru) Received: (from ache@localhost) by pobrecita.freebsd.ru (8.12.11/8.12.11/Submit) id i1QMpnrg073738; Fri, 27 Feb 2004 01:51:49 +0300 (MSK) (envelope-from ache) Date: Fri, 27 Feb 2004 01:51:49 +0300 From: Andrey Chernov To: kientzle@acm.org Message-ID: <20040226225149.GB73252@nagual.pp.ru> Mail-Followup-To: Andrey Chernov , kientzle@acm.org, freebsd-security@FreeBSD.ORG, das@FreeBSD.ORG References: <403CEF67.5040004@kientzle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <403CEF67.5040004@kientzle.com> User-Agent: Mutt/1.5.6i X-AntiVirus: checked by AntiVir Milter 1.0.6; AVE 6.24.0.5; VDF 6.24.0.20 cc: freebsd-security@FreeBSD.ORG cc: das@FreeBSD.ORG Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 22:53:36 -0000 On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote: > Possible fix: Ignore "-p" flag if target shell is not > in /etc/shells. In this scenario, a nologin program would > not be listed in /etc/shells, and thus such attacks would > be blocked. Please, no, -p functionality is there for reason. > Possible fix: Have login unconditionally discard LD_LIBRARY_PATH > and LD_PRELOAD from the environment, even if "-p" is specified. Yes! It is what I say from very beginning. It is so obvious that I wonder why others not see it first. > Possible fix: Eliminate the "-p" option to login. No. -- Andrey Chernov | http://ache.pp.ru/ From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 15:09:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B3C116A4CE; Thu, 26 Feb 2004 15:09:31 -0800 (PST) Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FDD743D2F; Thu, 26 Feb 2004 15:09:30 -0800 (PST) (envelope-from ache@pobrecita.freebsd.ru) Received: from pobrecita.freebsd.ru (ache@localhost [127.0.0.1]) by nagual.pp.ru (8.12.11/8.12.11) with ESMTP id i1QN9NDM074219; Fri, 27 Feb 2004 02:09:23 +0300 (MSK) (envelope-from ache@pobrecita.freebsd.ru) Received: (from ache@localhost) by pobrecita.freebsd.ru (8.12.11/8.12.11/Submit) id i1QN9NtM074218; Fri, 27 Feb 2004 02:09:23 +0300 (MSK) (envelope-from ache) Date: Fri, 27 Feb 2004 02:09:22 +0300 From: Andrey Chernov To: kientzle@acm.org Message-ID: <20040226230921.GD73252@nagual.pp.ru> Mail-Followup-To: Andrey Chernov , kientzle@acm.org, freebsd-security@FreeBSD.ORG, das@FreeBSD.ORG References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <403E7B4D.8030803@kientzle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <403E7B4D.8030803@kientzle.com> User-Agent: Mutt/1.5.6i X-AntiVirus: checked by AntiVir Milter 1.0.6; AVE 6.24.0.5; VDF 6.24.0.20 cc: freebsd-security@FreeBSD.ORG cc: das@FreeBSD.ORG Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 23:09:31 -0000 On Thu, Feb 26, 2004 at 03:03:41PM -0800, Tim Kientzle wrote: > Instead, I've decided to follow Jacques Vidrine's > suggestion of using a whitelist of environment variables > that are "known-safe." Well, I agree with that too, if it will be big enough. At least don't forget about putting LANG and LC_* there. -- Andrey Chernov | http://ache.pp.ru/ From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 19:26:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66AD016A4CE; Thu, 26 Feb 2004 19:26:07 -0800 (PST) Received: from mail.komquats.com (h24-108-145-252.gv.shawcable.net [24.108.145.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2D3743D2F; Thu, 26 Feb 2004 19:26:06 -0800 (PST) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by mail.komquats.com (Postfix) with ESMTP id 6A0375A832; Thu, 26 Feb 2004 19:26:03 -0800 (PST) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.12.10/8.12.8) with ESMTP id i1R3Q2Ed073139; Thu, 26 Feb 2004 19:26:02 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Message-Id: <200402270326.i1R3Q2Ed073139@cwsys.cwsent.com> X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: FreeBSD-Security Mailing List , FreeBSD-Ports Mailing List Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 26 Feb 2004 19:26:02 -0800 Sender: Cy.Schubert@komquats.com Subject: krb5-1.3.2 is released (fwd) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Cy Schubert List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 03:26:07 -0000 Just a quick heads up, I'm currently working on this. It's building on -CURRENT. Yet to be done, testing on -CURRENT, build & test on -STABLE, and verification of pkg-plist currency. I will post patches to the krb5 port to -security and -ports and assuming I don't get negative feedback, I will commit sometime late Saturday or on Sunday when I return from my trip Vancouver. As crypto-publish.org does not yet distribute krb5-1.3.2, the cryto-publish.org section of the Makefile will continue to install krb5-1.3.1_3. This of course assumes pkg-plist compatibility. If changes need to be made to pkg-plist, crypto-publish.org fetch support will be temporarily disabled until they can post krb5-1.3.2 on their website. Cheers, -- Cy Schubert http://www.komquats.com/ BC Government . FreeBSD UNIX Cy.Schubert@osg.gov.bc.ca . cy@FreeBSD.org http://www.gov.bc.ca/ . http://www.FreeBSD.org/ ------- Forwarded Message Date: Thu, 26 Feb 2004 20:15:12 -0500 From: Tom Yu To: kerberos-announce@MIT.EDU Subject: krb5-1.3.2 is released - -----BEGIN PGP SIGNED MESSAGE----- The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.3.2. Please see below for a list of some major changes since krb5-1.3.1, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.3.2 =================================== You may retrieve the Kerberos 5 Release 1.3.2 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.3.2 release is: http://web.mit.edu/kerberos/krb5-1.3/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ MAJOR CHANGES SINCE RELEASE 1.3.1 ================================= * Support for AES in GSSAPI has been implemented. This corresponds to the in-progress work in the IETF (CFX). * Added a new ccache type "MSLSA:" for read-only access to the MS Windows LSA cache. * On Windows, krb5.exe now has a checkbox to request addressless tickets. * To avoid compatibility problems, unrecognized TGS options will now be ignored. * 128-bit AES has been added to the default enctypes. * AES cryptosystem now chains IVs. This WILL break backwards compatibility for the kcmd applications, if they are using AES session keys. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) iQCVAwUBQD6aI6bDgE/zdoE9AQH+bwQAlC2pvr+DbnYNw8NzlBAng6Hpqf3b5StJ sZDakTpcOSalnouKv5TxRjLyG9hu9kz7e1Vl1/b9BDU5ROx9yTZnIV5PSxVO8JzR QjfCM/hp1k+UeEtc81b63Thw//le4PBMc+8NM03Rmyiro4780SXKcbgyV+yF5ijD Bj8AOFxdc1A= =uPfm - -----END PGP SIGNATURE----- _______________________________________________ kerberos-announce mailing list kerberos-announce@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce ------- End of Forwarded Message From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 15:04:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1503E16A4CE; Thu, 26 Feb 2004 15:04:03 -0800 (PST) Received: from kientzle.com (h-66-166-149-50.SNVACAID.covad.net [66.166.149.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E5FA43D31; Thu, 26 Feb 2004 15:04:02 -0800 (PST) (envelope-from tim@kientzle.com) Received: from kientzle.com (54.kientzle.com [66.166.149.54] (may be forged)) by kientzle.com (8.12.9/8.12.9) with ESMTP id i1QN3f7g017367; Thu, 26 Feb 2004 15:03:41 -0800 (PST) (envelope-from tim@kientzle.com) Message-ID: <403E7B4D.8030803@kientzle.com> Date: Thu, 26 Feb 2004 15:03:41 -0800 From: Tim Kientzle User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20031006 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andrey Chernov References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> In-Reply-To: <20040226225149.GB73252@nagual.pp.ru> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 27 Feb 2004 03:04:53 -0800 cc: freebsd-security@FreeBSD.ORG cc: das@FreeBSD.ORG cc: kientzle@acm.org Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: kientzle@acm.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 23:04:03 -0000 Andrey Chernov wrote: > On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote: > >>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH >>and LD_PRELOAD from the environment, even if "-p" is specified. > > Yes! It is what I say from very beginning. It is so obvious that I wonder > why others not see it first. It is obvious, it's just not very safe. In general, blacklist approaches are pretty poor; it's hard to make sure you've caught everything and future changes to other parts of the system can easily open new problems. Instead, I've decided to follow Jacques Vidrine's suggestion of using a whitelist of environment variables that are "known-safe." Tim Kientzle From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 03:13:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF4A016A4CE; Fri, 27 Feb 2004 03:13:55 -0800 (PST) Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91E8943D1D; Fri, 27 Feb 2004 03:13:55 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by conn.mc.mpls.visi.com (Postfix) with ESMTP id A27B282DC; Fri, 27 Feb 2004 05:13:54 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id i1RBDse14789; Fri, 27 Feb 2004 05:13:54 -0600 (CST) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Fri, 27 Feb 2004 05:13:53 -0600 From: D J Hawkey Jr To: kientzle@acm.org Message-ID: <20040227111353.GA14777@sheol.localdomain> References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <403E7B4D.8030803@kientzle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <403E7B4D.8030803@kientzle.com> User-Agent: Mutt/1.4.1i cc: Andrey Chernov cc: das@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 11:13:55 -0000 On Feb 26, at 03:03 PM, Tim Kientzle wrote: > > Andrey Chernov wrote: > >On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote: > > > >>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH > >>and LD_PRELOAD from the environment, even if "-p" is specified. > > > >Yes! It is what I say from very beginning. It is so obvious that I wonder > >why others not see it first. > > Instead, I've decided to follow Jacques Vidrine's > suggestion of using a whitelist of environment variables > that are "known-safe." Coming in from left field... Will there be some sort of mechanism for an admin to set/modify this list? Runs, ducking, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 03:20:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE23116A4CE for ; Fri, 27 Feb 2004 03:20:21 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id BBE8C43D2D for ; Fri, 27 Feb 2004 03:20:19 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 18924 invoked from network); 27 Feb 2004 11:18:09 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 27 Feb 2004 11:18:08 -0000 Received: (qmail 19638 invoked by uid 1000); 27 Feb 2004 11:20:30 -0000 Date: Fri, 27 Feb 2004 13:20:30 +0200 From: Peter Pentchev To: D J Hawkey Jr Message-ID: <20040227112029.GA736@straylight.m.ringlet.net> Mail-Followup-To: D J Hawkey Jr , kientzle@acm.org, Andrey Chernov , das@freebsd.org, freebsd-security@freebsd.org References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <403E7B4D.8030803@kientzle.com> <20040227111353.GA14777@sheol.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft" Content-Disposition: inline In-Reply-To: <20040227111353.GA14777@sheol.localdomain> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org cc: Andrey Chernov cc: das@freebsd.org cc: kientzle@acm.org Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 11:20:21 -0000 --/04w6evG8XlLl3ft Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote: > On Feb 26, at 03:03 PM, Tim Kientzle wrote: > >=20 > > Andrey Chernov wrote: > > >On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote: > > > > > >>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH > > >>and LD_PRELOAD from the environment, even if "-p" is specified. > > > > > >Yes! It is what I say from very beginning. It is so obvious that I won= der=20 > > >why others not see it first. > >=20 > > Instead, I've decided to follow Jacques Vidrine's > > suggestion of using a whitelist of environment variables > > that are "known-safe." >=20 > Coming in from left field... Will there be some sort of mechanism for > an admin to set/modify this list? >=20 > Runs, ducking, > Dave Surely you are aware of the consequences of s/admin/intruder/? :) Still, it might be useful indeed. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Hey, out there - is it *you* reading me, or is it someone else? --/04w6evG8XlLl3ft Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAPyf97Ri2jRYZRVMRAmC/AJsFmED0ilHN3BdGxjzmNPFg4YduiwCeK+mr xfQvtdygC9SY2Qoy+WdxMJ8= =3QTg -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft-- From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 03:27:12 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A91E816A4CE; Fri, 27 Feb 2004 03:27:12 -0800 (PST) Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3D2C43D1D; Fri, 27 Feb 2004 03:27:11 -0800 (PST) (envelope-from ache@pobrecita.freebsd.ru) Received: from pobrecita.freebsd.ru (ache@localhost [127.0.0.1]) by nagual.pp.ru (8.12.11/8.12.11) with ESMTP id i1RBR2PG036307; Fri, 27 Feb 2004 14:27:02 +0300 (MSK) (envelope-from ache@pobrecita.freebsd.ru) Received: (from ache@localhost) by pobrecita.freebsd.ru (8.12.11/8.12.11/Submit) id i1RBR2Sp036302; Fri, 27 Feb 2004 14:27:02 +0300 (MSK) (envelope-from ache) Date: Fri, 27 Feb 2004 14:27:00 +0300 From: Andrey Chernov To: D J Hawkey Jr Message-ID: <20040227112658.GA36271@nagual.pp.ru> Mail-Followup-To: Andrey Chernov , D J Hawkey Jr , kientzle@acm.org, das@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <403E7B4D.8030803@kientzle.com> <20040227111353.GA14777@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040227111353.GA14777@sheol.localdomain> User-Agent: Mutt/1.5.6i X-AntiVirus: checked by AntiVir Milter 1.1-beta; AVE 6.24.0.5; VDF 6.24.0.20 (host: pobrecita.freebsd.ru) cc: freebsd-security@FreeBSD.ORG cc: das@FreeBSD.ORG cc: kientzle@acm.org Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 11:27:12 -0000 On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote: > > Instead, I've decided to follow Jacques Vidrine's > > suggestion of using a whitelist of environment variables > > that are "known-safe." > > Coming in from left field... Will there be some sort of mechanism for > an admin to set/modify this list? I agree we'll need it (because of different assumptions). Something like /etc/safe_environment file. -- Andrey Chernov | http://ache.pp.ru/ From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 03:31:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7929016A4CE; Fri, 27 Feb 2004 03:31:02 -0800 (PST) Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A9B343D1D; Fri, 27 Feb 2004 03:31:02 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by conn.mc.mpls.visi.com (Postfix) with ESMTP id C44D68A11; Fri, 27 Feb 2004 05:30:37 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id i1RBUbE14899; Fri, 27 Feb 2004 05:30:37 -0600 (CST) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Fri, 27 Feb 2004 05:30:37 -0600 From: D J Hawkey Jr To: D J Hawkey Jr , kientzle@acm.org, Andrey Chernov , das@freebsd.org, freebsd-security@freebsd.org Message-ID: <20040227113037.GA14849@sheol.localdomain> References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <403E7B4D.8030803@kientzle.com> <20040227111353.GA14777@sheol.localdomain> <20040227112029.GA736@straylight.m.ringlet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040227112029.GA736@straylight.m.ringlet.net> User-Agent: Mutt/1.4.1i Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 11:31:02 -0000 On Feb 27, at 01:20 PM, Peter Pentchev wrote: > > On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote: > > On Feb 26, at 03:03 PM, Tim Kientzle wrote: > > > > > > Andrey Chernov wrote: > > > >On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote: > > > > > > > >>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH > > > >>and LD_PRELOAD from the environment, even if "-p" is specified. > > > > > > > >Yes! It is what I say from very beginning. It is so obvious that I wonder > > > >why others not see it first. > > > > > > Instead, I've decided to follow Jacques Vidrine's > > > suggestion of using a whitelist of environment variables > > > that are "known-safe." > > > > Coming in from left field... Will there be some sort of mechanism for > > an admin to set/modify this list? > > Surely you are aware of the consequences of s/admin/intruder/? :) > Still, it might be useful indeed. Of course I do; it would have to be a "secure" mechanism (and more flexible than recompiling the utility). But OTOH, how can the developers foresee all the possibilities of all the deployed systems Out There(tm)? Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 04:27:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B12716A4CE; Fri, 27 Feb 2004 04:27:20 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id F109843D1F; Fri, 27 Feb 2004 04:27:19 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 7F01654846; Fri, 27 Feb 2004 06:27:19 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 1EC906D455; Fri, 27 Feb 2004 06:27:19 -0600 (CST) Date: Fri, 27 Feb 2004 06:27:19 -0600 From: "Jacques A. Vidrine" To: Andrey Chernov , D J Hawkey Jr , kientzle@acm.org, das@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Message-ID: <20040227122718.GA46119@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Andrey Chernov , D J Hawkey Jr , kientzle@acm.org, das@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <403E7B4D.8030803@kientzle.com> <20040227111353.GA14777@sheol.localdomain> <20040227112658.GA36271@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040227112658.GA36271@nagual.pp.ru> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 12:27:20 -0000 On Fri, Feb 27, 2004 at 02:27:00PM +0300, Andrey Chernov wrote: > On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote: > > > Instead, I've decided to follow Jacques Vidrine's > > > suggestion of using a whitelist of environment variables > > > that are "known-safe." > > > > Coming in from left field... Will there be some sort of mechanism for > > an admin to set/modify this list? > > I agree we'll need it (because of different assumptions). Something like > /etc/safe_environment file. Whoa, Let's not complicate things unnecessarily. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 04:33:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8755516A4CE; Fri, 27 Feb 2004 04:33:32 -0800 (PST) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2452743D1D; Fri, 27 Feb 2004 04:33:32 -0800 (PST) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id BFB115309; Fri, 27 Feb 2004 13:33:30 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id B830F5308; Fri, 27 Feb 2004 13:33:25 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 86A0433C68; Fri, 27 Feb 2004 13:33:25 +0100 (CET) To: "Jacques A. Vidrine" References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <403E7B4D.8030803@kientzle.com> <20040227111353.GA14777@sheol.localdomain> <20040227112658.GA36271@nagual.pp.ru> <20040227122718.GA46119@madman.celabo.org> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Fri, 27 Feb 2004 13:33:25 +0100 In-Reply-To: <20040227122718.GA46119@madman.celabo.org> (Jacques A. Vidrine's message of "Fri, 27 Feb 2004 06:27:19 -0600") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 cc: freebsd-security@FreeBSD.ORG cc: Andrey Chernov cc: das@FreeBSD.ORG cc: kientzle@acm.org Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 12:33:32 -0000 "Jacques A. Vidrine" writes: > On Fri, Feb 27, 2004 at 02:27:00PM +0300, Andrey Chernov wrote: > > On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote: > > > > Instead, I've decided to follow Jacques Vidrine's > > > > suggestion of using a whitelist of environment variables > > > > that are "known-safe." > > > Coming in from left field... Will there be some sort of mechanism for > > > an admin to set/modify this list? > > I agree we'll need it (because of different assumptions). Something like > > /etc/safe_environment file. > Whoa, Let's not complicate things unnecessarily. Agreed, let's let this discussion die instead. login(1) is no longer setuid root, so the whole thing is a non-issue. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 05:48:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C9AD16A4CE; Fri, 27 Feb 2004 05:48:09 -0800 (PST) Received: from mail.komquats.com (h24-108-145-252.gv.shawcable.net [24.108.145.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 869F643D1F; Fri, 27 Feb 2004 05:48:08 -0800 (PST) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by mail.komquats.com (Postfix) with ESMTP id CDA245A832; Fri, 27 Feb 2004 05:48:06 -0800 (PST) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.12.10/8.12.8) with ESMTP id i1RDm5Ed061390; Fri, 27 Feb 2004 05:48:05 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Message-Id: <200402271348.i1RDm5Ed061390@cwsys.cwsent.com> X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: FreeBSD-Security Mailing List , FreeBSD-Ports Mailing List Mime-Version: 1.0 Content-Type: multipart/mixed ; boundary="==_Exmh_19192901920" Date: Fri, 27 Feb 2004 05:48:04 -0800 Sender: Cy.Schubert@komquats.com Subject: MIT Krb5 Port Upgrade X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Cy Schubert List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 13:48:09 -0000 This is a multipart MIME message. --==_Exmh_19192901920 Content-Type: text/plain; charset=us-ascii I will be updating the MIT krb5 port to krb5-1.3.2 this weekend. Unfortunately crypto-publish.org does not distribute the new source yet. Traditionally I disabled support for fetch from crytpo-publish.org until they updated their website with the latest krb5 sources, requiring the port to fetch the source from MIT in all cases. This time will be different, that is unless of course someone objects. The port will be upgraded to krb5-1.3.2 when fetching from MIT however it will remain at krb5-1.3.1_3 when fetching from crytpo-publish.org, that is until they update their website, which may take weeks. In the mean time enclosed are patches for the MIT krb5 port to update it to 1.3.2 (for fetch from MIT only). The 1.3.2 part has been tested locally however as I just managed to rebuild my testbed, the 1.3.1_3 part has been untested. If anyone has any comments, suggestions, or objections, please rattle my cage. Thanks. Cheers, -- Cy Schubert http://www.komquats.com/ BC Government . FreeBSD UNIX Cy.Schubert@osg.gov.bc.ca . cy@FreeBSD.org http://www.gov.bc.ca/ . http://www.FreeBSD.org/ --==_Exmh_19192901920 Content-Type: text/plain ; name="krb5.diff"; charset=us-ascii Content-Description: krb5.diff Content-Disposition: attachment; filename="krb5.diff" Index: Makefile =================================================================== RCS file: /home/pcvs/ports/security/krb5/Makefile,v retrieving revision 1.69 diff -u -r1.69 Makefile --- Makefile 21 Feb 2004 04:39:05 -0000 1.69 +++ Makefile 27 Feb 2004 13:33:58 -0000 @@ -6,14 +6,17 @@ # PORTNAME= krb5 -PORTVERSION= 1.3.1 -PORTREVISION= 3 +PORTVERSION= 1.3.2 CATEGORIES= security # USE_TARBALL tells the port that the user has fetched the source # directly from MIT or crypto-publish.org (CRYTPO-PUBLISH). USE_KRB5_TARBALL?= MIT .if defined(USE_KRB5_TARBALL) && ${USE_KRB5_TARBALL} == "CRYPTO-PUBLISH" +# XXX crypto-publish.org still distributes krb5-1.3.1 +PORTVERSION= 1.3.1 +PORTREVISION= 3 +# XXX --- MASTER_SITES= http://www.crypto-publish.org/dist/mit-kerberos5/ EXTRACT_SUFX= .tar.gz .else Index: distinfo =================================================================== RCS file: /home/pcvs/ports/security/krb5/distinfo,v retrieving revision 1.18 diff -u -r1.18 distinfo --- distinfo 8 Aug 2003 23:35:18 -0000 1.18 +++ distinfo 27 Feb 2004 13:33:58 -0000 @@ -1,2 +1,2 @@ -MD5 (krb5-1.3.1.tar) = 514ef9f6a2d390625e8aae7c972e4831 +MD5 (krb5-1.3.2.tar) = e8c3de8ede73b1a117e6519aa17e4412 MD5 (krb5-1.3.1.tar.gz) = 73f868cf65bec56d7c718834ca5665fd --==_Exmh_19192901920-- From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 10:32:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A325B16A9FC; Fri, 27 Feb 2004 10:32:01 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8824743D2D; Fri, 27 Feb 2004 10:32:01 -0800 (PST) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) i1RIW1bv024460; Fri, 27 Feb 2004 10:32:01 -0800 (PST) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i1RIW1Rm024458; Fri, 27 Feb 2004 10:32:01 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Fri, 27 Feb 2004 10:32:01 -0800 (PST) Message-Id: <200402271832.i1RIW1Rm024458@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-04:03.jail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 18:32:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:03.jail Security Advisory The FreeBSD Project Topic: Jailed processes can attach to other jails Category: core Module: kernel Announced: 2004-02-25 Credits: JAS Group (http://www.cs.mu.oz.au/jas/) Affects: FreeBSD 5.1-RELEASE FreeBSD 5.2-RELEASE Corrected: 2004-02-19 23:26:39 UTC (RELENG_5_2, 5.2.1-RC2) 2004-02-25 20:03:35 UTC (RELENG_5_1, 5.1-RELEASE-p14) CVE Name: CAN-2004-0126 FreeBSD only: YES For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The jail(2) system call allows a system administrator to lock up a process and all its descendants inside a closed environment with very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more stringent than, the traditional Unix chroot(2) system call. The jail_attach(2) system call, which was introduced in FreeBSD 5 before 5.1-RELEASE, allows a non-jailed process to permanently move into an existing jail. II. Problem Description A programming error has been found in the jail_attach(2) system call which affects the way that system call verifies the privilege level of the calling process. Instead of failing immediately if the calling process was already jailed, the jail_attach(2) system call would fail only after changing the calling process's root directory. III. Impact A process with superuser privileges inside a jail could change its root directory to that of a different jail, and thus gain full read and write access to files and directories within the target jail. IV. Workaround No workaround is available. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 5.2.1-RELEASE, or to the RELENG_5_2 or RELENG_5_1 security branch dated after the correction date. OR 2) Patch your present system: The following patch has been verified to apply to FreeBSD 5.1 and 5.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:03/jail.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:03/jail.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5_2 src/sys/kern/kern_jail.c 1.34.2.1 RELENG_5_1 src/UPDATING 1.251.2.16 src/sys/conf/newvers.sh 1.50.2.16 src/sys/kern/kern_jail.c 1.33.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAP4xVFdaIBMps37IRArw1AJ9jNZIsJHYlKt+NEsOgp5cti/Cs+gCdFa0j 3cvPHMce6awUESculjC3Z/I= =LQo0 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 11:44:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7102216A4CE for ; Fri, 27 Feb 2004 11:44:05 -0800 (PST) Received: from snafu.adept.org (adsl-67-117-158-73.dsl.snfc21.pacbell.net [67.117.158.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4ED7C43D2F for ; Fri, 27 Feb 2004 11:44:05 -0800 (PST) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 8B9EC9EEF0; Fri, 27 Feb 2004 11:43:50 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 5C7639B148 for ; Fri, 27 Feb 2004 11:43:50 -0800 (PST) Date: Fri, 27 Feb 2004 11:43:50 -0800 (PST) From: Mike Hoskins To: freebsd-security@FreeBSD.ORG In-Reply-To: Message-ID: <20040227114106.G29673@snafu.adept.org> References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <20040227111353.GA14777@sheol.localdomain> <20040227122718.GA46119@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 19:44:05 -0000 On Fri, 27 Feb 2004, Dag-Erling [iso-8859-1] Sm=F8rgrav wrote: > Agreed, let's let this discussion die instead. login(1) is no longer > setuid root, so the whole thing is a non-issue. to be complete, i assume you mean under 5.x: mike@snafu{mike}$ uname -r 4.8-RELEASE-p15 mike@snafu{mike}$ ls -al /usr/bin/login -r-sr-xr-x 1 root wheel 21824 Feb 23 13:45 /usr/bin/login* hard to believe, but not everyone is using 5.x. ;) still, since 5.x is stable and fast (...er than 4.x in many ways), i agree making extra work in the name of 4.x is probably not the best idea when development resources are already scare. (of course if someone is paranoid and wants to make relevant patches against 4.x, and maintain them seperately, i'm sure at least some people wouldn't object.) -m From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 18:54:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AA7216A4CE for ; Fri, 27 Feb 2004 18:54:04 -0800 (PST) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8351D43D2F for ; Fri, 27 Feb 2004 18:54:03 -0800 (PST) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.10/8.12.10) with ESMTP id i1S2s1LI053885 for ; Sat, 28 Feb 2004 15:54:01 +1300 (NZDT) (envelope-from andrew@scoop.co.nz) Date: Sat, 28 Feb 2004 15:54:01 +1300 (NZDT) From: Andrew McNaughton To: freebsd-security@freebsd.org In-Reply-To: <20040227112029.GA736@straylight.m.ringlet.net> Message-ID: <20040228144701.H18919@a2.scoop.co.nz> References: <403CEF67.5040004@kientzle.com> <20040226225149.GB73252@nagual.pp.ru> <20040227111353.GA14777@sheol.localdomain> <20040227112029.GA736@straylight.m.ringlet.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Environment Poisoning and login -p X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2004 02:54:04 -0000 On Fri, 27 Feb 2004, Peter Pentchev wrote: > On Fri, Feb 27, 2004 at 05:13:53AM -0600, D J Hawkey Jr wrote: > > On Feb 26, at 03:03 PM, Tim Kientzle wrote: > > > > > > Andrey Chernov wrote: > > > >On Wed, Feb 25, 2004 at 10:54:31AM -0800, Tim Kientzle wrote: > > > > > > > >>Possible fix: Have login unconditionally discard LD_LIBRARY_PATH > > > >>and LD_PRELOAD from the environment, even if "-p" is specified. > > > > > > > >Yes! It is what I say from very beginning. It is so obvious that I wonder > > > >why others not see it first. > > > > > > Instead, I've decided to follow Jacques Vidrine's > > > suggestion of using a whitelist of environment variables > > > that are "known-safe." Sounds sensible for me, but it exagerates the need for a configuration file. In the sudo man page under 'SECURITY NOTES', there's some details of a blacklist approach taken by sudo, dealing with similar issues. Worth looking at while considering the extent of this problem, and because omissions in sudo's blacklist are likely to have been discussed somewhere already. > > Coming in from left field... Will there be some sort of mechanism for > > an admin to set/modify this list? > Surely you are aware of the consequences of s/admin/intruder/? :) > Still, it might be useful indeed. If the intruder already has root, there's not much to lose here. Andrew McNaughton -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton Currently in Boomer Bay, Tasmania andrew@scoop.co.nz Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc From owner-freebsd-security@FreeBSD.ORG Sat Feb 28 10:36:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13D3E16A4CE for ; Sat, 28 Feb 2004 10:36:16 -0800 (PST) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10F3C43D2F for ; Sat, 28 Feb 2004 10:36:15 -0800 (PST) (envelope-from prosa@pro.sk) Received: from peter (Ucto [192.168.1.53]) by ns.pro.sk (8.12.9p2/8.12.9) with SMTP id i1SIaCoo045097 for ; Sat, 28 Feb 2004 19:36:13 +0100 (CET) (envelope-from prosa@pro.sk) Message-ID: <000b01c3fe29$ba244800$3501a8c0@peter> From: "Peter Rosa" To: "FreeBSD Security" Date: Sat, 28 Feb 2004 19:36:05 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) Subject: Darkstat X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2004 18:36:16 -0000 Hi all, please, tell me about security of Darkstat. Is it good idea to install it on firewall/gateway ? I'd like to measure our company traffic, but I do not have Apache running on the gateway. How could I redirect Darkstat's output to web-server inside company ? Or is there some other tool, which can measure in/out traffic and send output to another machine ? I know MRTG, but it uses SNMP I do not know to work with. Best regards, Peter Rosa From owner-freebsd-security@FreeBSD.ORG Sat Feb 28 14:58:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A20F416A4CE for ; Sat, 28 Feb 2004 14:58:57 -0800 (PST) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DD1B43D3F for ; Sat, 28 Feb 2004 14:58:57 -0800 (PST) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 7BB93653AC; Sat, 28 Feb 2004 22:58:55 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 91574-03; Sat, 28 Feb 2004 22:58:55 +0000 (GMT) Received: from saboteur.dek.spc.org (82-147-17-88.dsl.uk.rapidplay.com [82.147.17.88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id A787065211; Sat, 28 Feb 2004 22:58:54 +0000 (GMT) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 6E97CB7; Sat, 28 Feb 2004 22:58:53 +0000 (GMT) Date: Sat, 28 Feb 2004 22:58:52 +0000 From: Bruce M Simpson To: Peter Rosa Message-ID: <20040228225852.GM28287@saboteur.dek.spc.org> Mail-Followup-To: Peter Rosa , FreeBSD Security References: <000b01c3fe29$ba244800$3501a8c0@peter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000b01c3fe29$ba244800$3501a8c0@peter> cc: FreeBSD Security Subject: Re: Darkstat X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2004 22:58:57 -0000 On Sat, Feb 28, 2004 at 07:36:05PM +0100, Peter Rosa wrote: > Or is there some other tool, which can measure in/out traffic and send > output to another machine ? I know MRTG, but it uses SNMP I do not know to > work with. I'm not familiar with Darkstat; I have some patches for trafd to implement SNMP support (per-host statistics pollable via SNMP), which I plan to port to bpft as it fixes many of the bugs present in trafd. I currently use a combination of Cricket, rrdtool and net-snmp to produce these kinds of statistics for routers on an interface basis, albeit running on the same machine for expendiency (we have a very small scale setup). BMS