From owner-freebsd-security@FreeBSD.ORG Mon Apr 12 15:00:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E83FE16A4CE for ; Mon, 12 Apr 2004 15:00:18 -0700 (PDT) Received: from quip.cz (www.quip.cz [62.24.67.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D8EC43D31 for ; Mon, 12 Apr 2004 15:00:16 -0700 (PDT) (envelope-from 000.fbsd@quip.cz) Received: from quip.cz (qwork.quip.dev [192.168.1.2]) by quip.cz (QuipMail) with ESMTP id 2E9912E01D for ; Tue, 13 Apr 2004 00:00:15 +0200 (CEST) Message-ID: <407B1170.8010900@quip.cz> Date: Tue, 13 Apr 2004 00:00:16 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040316 X-Accept-Language: cs, cz, en, en-us MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: fwd: mail server recommendations? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2004 22:00:19 -0000 Hi I am re-sending this message to this list, because freebsd-security list could be more suitable for my question about UID / GID settings of Postfix virtual users accounts. in one sentence: "If all virtual users have same UID/GID, is there some real security risk?" Thank You and I am sorry for my bad english ================================== original message from freebsd-isp: Mark Johnston wrote: > Miroslav Lachman <000.fbsd@quip.cz> wrote: > >> Hi, I am running similar configuration on several machines (Postfix + >> Courier-IMAP [with POP3ssl/IMAP4ssl] + MySQL). I have a guestion about >> one general difference - unique UID / GID for each user. I guess it >> provide more security, but also some troubles. If all virtual users >> (stored in MySQL) have same UID/GID, postfix can be configured to create >> maildirs itself with first incoming message. If each user has unique >> UID, maildirs must be created manualy (or from shellscript) and chowned >> to UID/GID. > > > > Exactly - that's the tradeoff. > > >> My question: "If all virtual users have same UID/GID, is there some real >> security risk?". > > > > Sharing UIDs and GIDs can have good or bad effects on security. On a server with no users logging in, like mine, it's moot; nobody (well, nobody who hasn't compromised the server) can get at the maildir storage on disk, so nobody (ditto) can play with the mailboxes. On a server where users do log in, you can go two routes: > > - Unique UIDs/GIDs. This makes things more convenient for the user, since they can use mail clients on the server and get right at their mail. If you want to have local mail clients work at all, you have to do this. > > - Shared UID/GID. In this case, the user can't get at their own maildir, and they'll have to use LDAP/POP3 over loopback to read their mail. It does make management easier, though. > > It sounds to me like you're working with a server where users don't log in, since you're using MySQL to manage user accounts. In that case, unique UIDs buy you essentially nothing. > Yes, I am one and only who has shell account (logging via SSH), users have FTP, POP3/IMAP/webmail, HTTP access and CVS (CVSd pserver throught SSL [stunnel]) > >> I'll be glad to read if same UID/GID is secure or not, because I am >> writing webbased administration tool in PHP and main problem is creation >> of maildirs for new accounts. Same UID/GID could solve my problem. > > > > The only time that unique UIDs and GIDs are useful is when the user will be logging in locally, so you can just look in /etc/passwd, find the user's UID, and create the maildir with that. If the user doesn't have a system account, you've got no reason to start making up UIDs to give them one; just share a single UID. > > >> PS: sorry for my bad english and a little offtopic message > > > > Since you say "offtopic", I assume you intended this for the freebsd-isp list, instead of private mail. I've taken the liberty of including the list in the Cc again, since security advice like this shouldn't go unreviewed. :) You might also want to move this thread to freebsd-security@freebsd.org, to reach people with more security know-how. > I am sorry for my mistake, I really intended this for freebsd-isp list and I'll send it to freebsd-security too. Thank you for your opinion. > >> PPS: I'll publish webbased administration tool on sourceforge.net after >> completition > > > One more question - does anybody know some webbased administration tools for email accounts of postfix virtual users in MySQL/PgSQL? (I started writing my own, but I am still interested in comparison with other tools) -- Miroslav Lachman Webapplication Developer From owner-freebsd-security@FreeBSD.ORG Thu Apr 8 09:28:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AE3316A4CE for ; Thu, 8 Apr 2004 09:28:26 -0700 (PDT) Received: from mailout06.sul.t-online.com (mailout06.sul.t-online.com [194.25.134.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 719E243D3F for ; Thu, 8 Apr 2004 09:28:25 -0700 (PDT) (envelope-from mike@reifenberger.com) Received: from fwd02.aul.t-online.de by mailout06.sul.t-online.com with smtp id 1BBcO7-0001dx-02; Thu, 08 Apr 2004 18:28:23 +0200 Received: from fw.reifenberger.com (VgiymvZEoemoS0AH9TmVV-7RgzC2uw2QMkhT5sKCJPuzNgcFXI1JQh@[217.232.226.77]) by fmrl02.sul.t-online.com with esmtp id 1BBcNr-1ysNyi0; Thu, 8 Apr 2004 18:28:07 +0200 Received: from localhost (mike@localhost)i38GS69r013484; Thu, 8 Apr 2004 18:28:06 +0200 (CEST) (envelope-from mike@reifenberger.com) X-Authentication-Warning: fw.reifenberger.com: mike owned process doing -bs Date: Thu, 8 Apr 2004 18:28:06 +0200 (CEST) From: Michael Reifenberger To: Mike Tancsa In-Reply-To: <36f9701cf4faf7fjh4uh5h9qer493is7d8@4ax.com> Message-ID: <20040408181337.R13165@fw.reifenberger.com> References: <20040407181403.70832a2c@bert.mlan.solnet.ch> <36f9701cf4faf7fjh4uh5h9qer493is7d8@4ax.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Seen: false X-ID: VgiymvZEoemoS0AH9TmVV-7RgzC2uw2QMkhT5sKCJPuzNgcFXI1JQh@t-dialin.net X-Mailman-Approved-At: Tue, 13 Apr 2004 03:42:13 -0700 cc: freebsd-security@freebsd.org cc: phk@phk.freebsd.dk Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 16:28:26 -0000 Hi, as is looks like, 'openssl aes-128-cbc' does use the HW-crypto, whereas aes-256-cbc doesn't: (fw)(root) ./hifnstats input 33061744 bytes 27580 packets output 33061744 bytes 27580 packets invalid 0 nomem 0 abort 0 noirq 0 unaligned 0 totbatch 0 maxbatch 0 nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 openssl aes-128-cbc -e -in /sys/i386/compile/fw/kernel.debug -out bla -k foo ./hifnstats (fw)(root) openssl aes-128-cbc -e -in /sys/i386/compile/fw/kernel.debug -out bla -k foo (fw)(root) ./hifnstats input 62496592 bytes 34770 packets output 62496592 bytes 34770 packets invalid 0 nomem 0 abort 0 noirq 0 unaligned 0 totbatch 0 maxbatch 0 nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 but: (fw)(root) ./hifnstats input 62509488 bytes 34937 packets output 62509488 bytes 34937 packets invalid 0 nomem 0 abort 0 noirq 0 unaligned 0 totbatch 0 maxbatch 0 nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 openssl aes-256-cbc -e -in /sys/i386/compile/fw/kernel.debug -out bla -k foo ./hifnstats (fw)(root) openssl aes-256-cbc -e -in /sys/i386/compile/fw/kernel.debug -out bla -k foo (fw)(root) ./hifnstats input 62510128 bytes 34947 packets output 62510128 bytes 34947 packets invalid 0 nomem 0 abort 0 noirq 0 unaligned 0 totbatch 0 maxbatch 0 nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 another indication is `iostat 1`: during openssl aes-128-cbc: tin tout KB/t tps MB/s KB/t tps MB/s KB/t tps MB/s us ni sy in id 1 79 124.69 29 3.50 0.00 0 0.00 0.00 0 0.00 7 0 25 8 60 0 230 126.58 78 9.67 0.00 0 0.00 0.00 0 0.00 2 0 26 5 68 0 77 128.00 105 13.12 0.00 0 0.00 0.00 0 0.00 5 0 47 8 41 0 88 62.74 27 1.64 0.00 0 0.00 0.00 0 0.00 22 0 22 2 55 during openssl aes-256-cbc: tin tout KB/t tps MB/s KB/t tps MB/s KB/t tps MB/s us ni sy in id 1 79 124.49 41 4.94 0.00 0 0.00 0.00 0 0.00 78 0 16 0 5 0 77 126.64 47 5.75 0.00 0 0.00 0.00 0 0.00 89 0 11 0 0 0 77 128.00 44 5.45 0.00 0 0.00 0.00 0 0.00 88 0 12 0 0 0 77 128.00 45 5.57 0.00 0 0.00 0.00 0 0.00 88 0 12 0 0 0 77 128.00 46 5.69 0.00 0 0.00 0.00 0 0.00 90 0 8 2 0 (it takes longer, is much less idle, and user much more usertime) Bye/2 --- Michael Reifenberger, Business Development Manager SAP-Basis, Plaut Consulting Comp: Michael.Reifenberger@plaut.de | Priv: Michael@Reifenberger.com http://www.plaut.de | http://www.Reifenberger.com From owner-freebsd-security@FreeBSD.ORG Tue Apr 13 11:19:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DECBA16A4CE for ; Tue, 13 Apr 2004 11:19:52 -0700 (PDT) Received: from bewilderbeast.blackhelicopters.org (bewilderbeast.blackhelicopters.org [198.22.63.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8119643D6D for ; Tue, 13 Apr 2004 11:19:51 -0700 (PDT) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: from bewilderbeast.blackhelicopters.org (mwlucas@localhost [127.0.0.1])i3DIJlJQ064928; Tue, 13 Apr 2004 14:19:47 -0400 (EDT) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: (from mwlucas@localhost)i3DIJhP6064927; Tue, 13 Apr 2004 14:19:43 -0400 (EDT) (envelope-from mwlucas) Date: Tue, 13 Apr 2004 14:19:43 -0400 From: "Michael W. Lucas" To: Poul-Henning Kamp Message-ID: <20040413181943.GA55219@bewilderbeast.blackhelicopters.org> References: <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> <26486.1081437513@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <26486.1081437513@critter.freebsd.dk> User-Agent: Mutt/1.4.1i X-Spam-Score: (0) X-Scanned-By: MIMEDefang 2.39 cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2004 18:19:53 -0000 On Thu, Apr 08, 2004 at 05:18:33PM +0200, Poul-Henning Kamp wrote: > In message <20040408144322.GA83448@bewilderbeast.blackhelicopters.org>, "Michae > l W. Lucas" writes: > >On Thu, Apr 08, 2004 at 04:28:37PM +0200, Poul-Henning Kamp wrote: > >> >>Look at VPN14x1 from www.soekris.com, it's darn cheap too. > > > >Thanks, phk! > > > >For $79, it's cheap enough that I could put a whole stack of them in a > >machine. Can FreeBSD take advantage of multiple cards like that? > > I think so, but I am not sure the code currently does load-sharing > or just "try to find a card which can do this job" sharing. > > Maybe sam@ would know, you should probably ask him. OK, for the record I asked sam@. He says that the VPN1401 has issues for (at a minimum) symmetric crypto ops, but he hasn't had time to investigate and doesn't own a 1401, so... He also says that he considers the Broadcom 582x is the best accelerator available, except that it isn't available retail. :-( So, it looks like my choices are rapidly narrowing. It seems that the powercrypt cards are well-supported, perhaps I'll give them a call. ==ml -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org "I'm sorry, but 'Social Darwinism' is no excuse for killing all of your co-workers." -- Ivan Brunetti http://www.BlackHelicopters.org/~mwlucas/ From owner-freebsd-security@FreeBSD.ORG Tue Apr 13 11:45:44 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CB8416A4CE for ; Tue, 13 Apr 2004 11:45:44 -0700 (PDT) Received: from smtp3b.sentex.ca (smtp3b.sentex.ca [205.211.164.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C2AE43D55 for ; Tue, 13 Apr 2004 11:45:44 -0700 (PDT) (envelope-from mike@sentex.net) Received: from avscan1.sentex.ca (avscan1.sentex.ca [199.212.134.11]) by smtp3b.sentex.ca (8.12.11/8.12.11) with ESMTP id i3DIjgTa026970; Tue, 13 Apr 2004 14:45:42 -0400 (EDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan1.sentex.ca (8.12.10/8.12.10) with ESMTP id i3DIjc3x005542; Tue, 13 Apr 2004 14:45:38 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i3DIjaSP011114; Tue, 13 Apr 2004 14:45:37 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040413144331.056fd350@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Tue, 13 Apr 2004 14:46:52 -0400 To: "Michael W. Lucas" , Poul-Henning Kamp From: Mike Tancsa In-Reply-To: <20040413181943.GA55219@bewilderbeast.blackhelicopters.org> References: <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> <26486.1081437513@critter.freebsd.dk> <20040413181943.GA55219@bewilderbeast.blackhelicopters.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2004 18:45:44 -0000 At 02:19 PM 13/04/2004, Michael W. Lucas wrote: >OK, for the record I asked sam@. He says that the VPN1401 has issues >for (at a minimum) symmetric crypto ops, but he hasn't had time to >investigate and doesn't own a 1401, so... > >So, it looks like my choices are rapidly narrowing. It seems that the >powercrypt cards are well-supported, perhaps I'll give them a call. I think the powercrypt is based on the same HiFn chip and uses the same driver, so it might be hit by the same bug that I am running into both on FreeBSD and OpenBSD. Then again, it could be some issue with openssl as to how it talks to the card. Still, there were reports by one ipsec user on OpenBSD that they had problems with the card and IPSEC. I would love to hear from any FreeBSD or OpenBSD user with the 1401 to see if they can reproduce this bug. ---Mike From owner-freebsd-security@FreeBSD.ORG Tue Apr 13 11:52:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51C8916A4CE for ; Tue, 13 Apr 2004 11:52:50 -0700 (PDT) Received: from smtp3b.sentex.ca (smtp3b.sentex.ca [205.211.164.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1102743D31 for ; Tue, 13 Apr 2004 11:52:50 -0700 (PDT) (envelope-from mike@sentex.net) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by smtp3b.sentex.ca (8.12.11/8.12.11) with ESMTP id i3DIqnCt028357 for ; Tue, 13 Apr 2004 14:52:49 -0400 (EDT) (envelope-from mike@sentex.net) Received: from localhost (localhost [127.0.0.1]) by avscan2.sentex.ca (Postfix) with ESMTP id 9877659C90 for ; Tue, 13 Apr 2004 14:52:49 -0400 (EDT) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 40846-12 for ; Tue, 13 Apr 2004 14:52:49 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan2.sentex.ca (Postfix) with ESMTP id 813E859C8A for ; Tue, 13 Apr 2004 14:52:49 -0400 (EDT) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i3DIqmAm011134 for ; Tue, 13 Apr 2004 14:52:48 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040413145345.07e0af70@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Tue, 13 Apr 2004 14:53:57 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Virus-Scanned: by amavisd-new at (avscan2) sentex.ca Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2004 18:52:50 -0000 At 02:19 PM 13/04/2004, Michael W. Lucas wrote: >OK, for the record I asked sam@. He says that the VPN1401 has issues >for (at a minimum) symmetric crypto ops, but he hasn't had time to >investigate and doesn't own a 1401, so... > >So, it looks like my choices are rapidly narrowing. It seems that the >powercrypt cards are well-supported, perhaps I'll give them a call. I think the powercrypt is based on the same HiFn chip and uses the same driver, so it might be hit by the same bug that I am running into both on FreeBSD and OpenBSD. Then again, it could be some issue with openssl as to how it talks to the card. Still, there were reports by one ipsec user on OpenBSD that they had problems with the card and IPSEC. I would love to hear from any FreeBSD or OpenBSD user with the 1401 to see if they can reproduce this bug. ---Mike From owner-freebsd-security@FreeBSD.ORG Wed Apr 14 02:35:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 293E916A4CF for ; Wed, 14 Apr 2004 02:35:00 -0700 (PDT) Received: from tx1.oucs.ox.ac.uk (tx1.oucs.ox.ac.uk [129.67.1.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB0B943D2D for ; Wed, 14 Apr 2004 02:34:59 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan1.oucs.ox.ac.uk ([129.67.1.166] helo=localhost) by tx1.oucs.ox.ac.uk with esmtp (Exim 4.24) id 1BDgnK-0002CV-IC for freebsd-security@freebsd.org; Wed, 14 Apr 2004 10:34:58 +0100 Received: from rx1.oucs.ox.ac.uk ([129.67.1.165]) by localhost (scan1.oucs.ox.ac.uk [129.67.1.166]) (amavisd-new, port 25) with ESMTP id 08075-09 for ; Wed, 14 Apr 2004 10:34:58 +0100 (BST) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx1.oucs.ox.ac.uk with smtp (Exim 4.24) id 1BDgnK-0002CS-4p for freebsd-security@freebsd.org; Wed, 14 Apr 2004 10:34:58 +0100 Received: (qmail 5515 invoked by uid 1004); 14 Apr 2004 09:34:58 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.20 (clamscan: 0.67. sweep: 2.18/3.79. Clear:RC:1(163.1.161.131):. Processed in 0.135248 secs); 14 Apr 2004 09:34:58 -0000 Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 14 Apr 2004 09:34:58 -0000 Message-Id: <6.0.1.1.1.20040414102727.03ad0008@imap.sfu.ca> X-Sender: cperciva@imap.sfu.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Wed, 14 Apr 2004 10:34:55 +0100 To: freebsd-security@freebsd.org From: Colin Percival Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-ipfw@freebsd.org Subject: FYI re: "FreeBSD ECE flag ipfw protection bypass" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 09:35:00 -0000 Several people have noticed that SecuriTeam.com is reporting a "FreeBSD ECE flag ipfw protection bypass" exploit. In an effort to save time, let me say this publicly: SecuriTeam.com is three years out of date. This problem was fixed in FreeBSD 3.5-STABLE and 4.2-STABLE in January 2001, and reported in Security Advisory FreeBSD-SA-01:08. Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Apr 14 20:03:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C927D16A4CE for ; Wed, 14 Apr 2004 20:03:20 -0700 (PDT) Received: from phobos.osem.com (phobos.osem.com [66.92.67.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7997243D53 for ; Wed, 14 Apr 2004 20:03:20 -0700 (PDT) (envelope-from andy@lewman.com) Received: by phobos.osem.com (Postfix, from userid 1001) id EC26629D; Wed, 14 Apr 2004 23:03:19 -0400 (EDT) Date: Wed, 14 Apr 2004 23:03:19 -0400 From: andy@lewman.com To: security@freebsd.org Message-ID: <20040415030319.GA71038@phobos.osem.com> References: <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> <26486.1081437513@critter.freebsd.dk> <20040413181943.GA55219@bewilderbeast.blackhelicopters.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040413181943.GA55219@bewilderbeast.blackhelicopters.org> User-Agent: Mutt/1.4.2.1i X-phase_of_moon: The Moon is Waning Crescent (20% of Full) Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 03:03:20 -0000 Ok, so what exactly needs to be done to get full hifn support working in 4.x/5.x? I seem to have lost the original train of thought here. -Andrew On Tue, Apr 13, 2004 at 02:19:43PM -0400, mwlucas@blackhelicopters.org wrote 1.5K bytes in 37 lines about: : On Thu, Apr 08, 2004 at 05:18:33PM +0200, Poul-Henning Kamp wrote: : > In message <20040408144322.GA83448@bewilderbeast.blackhelicopters.org>, "Michae : > l W. Lucas" writes: : > >On Thu, Apr 08, 2004 at 04:28:37PM +0200, Poul-Henning Kamp wrote: : > >> >>Look at VPN14x1 from www.soekris.com, it's darn cheap too. : > > : > >Thanks, phk! : > > : > >For $79, it's cheap enough that I could put a whole stack of them in a : > >machine. Can FreeBSD take advantage of multiple cards like that? : > : > I think so, but I am not sure the code currently does load-sharing : > or just "try to find a card which can do this job" sharing. : > : > Maybe sam@ would know, you should probably ask him. : : OK, for the record I asked sam@. He says that the VPN1401 has issues : for (at a minimum) symmetric crypto ops, but he hasn't had time to : investigate and doesn't own a 1401, so... : : He also says that he considers the Broadcom 582x is the best : accelerator available, except that it isn't available retail. :-( : : So, it looks like my choices are rapidly narrowing. It seems that the : powercrypt cards are well-supported, perhaps I'll give them a call. : : ==ml : : -- : Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org : "I'm sorry, but 'Social Darwinism' is no excuse for killing all of : your co-workers." -- Ivan Brunetti : http://www.BlackHelicopters.org/~mwlucas/ : _______________________________________________ : freebsd-security@freebsd.org mailing list : http://lists.freebsd.org/mailman/listinfo/freebsd-security : To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- From owner-freebsd-security@FreeBSD.ORG Wed Apr 14 20:08:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4F7E16A4CE for ; Wed, 14 Apr 2004 20:08:25 -0700 (PDT) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 742AE43D2F for ; Wed, 14 Apr 2004 20:08:25 -0700 (PDT) (envelope-from mike@sentex.net) Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19]) by smtp3.sentex.ca (8.12.11/8.12.10) with ESMTP id i3F38O23081873; Wed, 14 Apr 2004 23:08:24 -0400 (EDT) (envelope-from mike@sentex.net) Received: from localhost (localhost [127.0.0.1]) by avscan2.sentex.ca (Postfix) with ESMTP id D330C59C8B; Wed, 14 Apr 2004 23:08:24 -0400 (EDT) Received: from avscan2.sentex.ca ([127.0.0.1]) by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 46816-10; Wed, 14 Apr 2004 23:08:24 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan2.sentex.ca (Postfix) with ESMTP id 98F9559C89; Wed, 14 Apr 2004 23:08:24 -0400 (EDT) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i3F38NsB016772; Wed, 14 Apr 2004 23:08:23 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040414230754.07d7cf18@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Wed, 14 Apr 2004 23:10:02 -0400 To: andy@lewman.com, security@freebsd.org From: Mike Tancsa In-Reply-To: <20040415030319.GA71038@phobos.osem.com> References: <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> <26486.1081437513@critter.freebsd.dk> <20040413181943.GA55219@bewilderbeast.blackhelicopters.org> <20040415030319.GA71038@phobos.osem.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Virus-Scanned: by amavisd-new at (avscan2) sentex.ca Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 03:08:26 -0000 Someone with the time, knowledge and perhaps funding to fix it. It would be nice too if someone with a Soekris 1401 or 7556 based card on FreeBSD or OpenBSD could duplicate my results just to confirm its not a bad batch of 3 cards that I have ---Mike At 11:03 PM 14/04/2004, andy@lewman.com wrote: >Ok, so what exactly needs to be done to get full hifn support working in >4.x/5.x? > >I seem to have lost the original train of thought here. > >-Andrew > >On Tue, Apr 13, 2004 at 02:19:43PM -0400, mwlucas@blackhelicopters.org >wrote 1.5K bytes in 37 lines about: >: On Thu, Apr 08, 2004 at 05:18:33PM +0200, Poul-Henning Kamp wrote: >: > In message ><20040408144322.GA83448@bewilderbeast.blackhelicopters.org>, "Michae >: > l W. Lucas" writes: >: > >On Thu, Apr 08, 2004 at 04:28:37PM +0200, Poul-Henning Kamp wrote: >: > >> >>Look at VPN14x1 from www.soekris.com, it's darn cheap too. >: > > >: > >Thanks, phk! >: > > >: > >For $79, it's cheap enough that I could put a whole stack of them in a >: > >machine. Can FreeBSD take advantage of multiple cards like that? >: > >: > I think so, but I am not sure the code currently does load-sharing >: > or just "try to find a card which can do this job" sharing. >: > >: > Maybe sam@ would know, you should probably ask him. >: >: OK, for the record I asked sam@. He says that the VPN1401 has issues >: for (at a minimum) symmetric crypto ops, but he hasn't had time to >: investigate and doesn't own a 1401, so... >: >: He also says that he considers the Broadcom 582x is the best >: accelerator available, except that it isn't available retail. :-( >: >: So, it looks like my choices are rapidly narrowing. It seems that the >: powercrypt cards are well-supported, perhaps I'll give them a call. >: >: ==ml >: >: -- >: Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org >: "I'm sorry, but 'Social Darwinism' is no excuse for killing all of >: your co-workers." -- Ivan Brunetti >: http://www.BlackHelicopters.org/~mwlucas/ >: _______________________________________________ >: freebsd-security@freebsd.org mailing list >: http://lists.freebsd.org/mailman/listinfo/freebsd-security >: To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >-- >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Apr 15 07:51:51 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25EC616A4CE for ; Thu, 15 Apr 2004 07:51:51 -0700 (PDT) Received: from phobos.osem.com (phobos.osem.com [66.92.67.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92E4343D54 for ; Thu, 15 Apr 2004 07:51:50 -0700 (PDT) (envelope-from andy@lewman.com) Received: by phobos.osem.com (Postfix, from userid 1001) id 9F2F429F; Thu, 15 Apr 2004 10:51:48 -0400 (EDT) Date: Thu, 15 Apr 2004 10:51:48 -0400 From: andy@lewman.com To: Mike Tancsa Message-ID: <20040415145148.GA99338@phobos.osem.com> References: <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> <26486.1081437513@critter.freebsd.dk> <20040413181943.GA55219@bewilderbeast.blackhelicopters.org> <20040415030319.GA71038@phobos.osem.com> <6.0.3.0.0.20040414230754.07d7cf18@209.112.4.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.3.0.0.20040414230754.07d7cf18@209.112.4.2> User-Agent: Mutt/1.4.2.1i X-phase_of_moon: The Moon is Waning Crescent (16% of Full) cc: security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 14:51:51 -0000 Well, I have the vpn1411, 7955 based card. It appears to be recognized, and appears to do certain things with apache2-ssl, system openssh. hifnstats shows decent amounts of traffic through it (at least interrupts) however cryptokeytest doesn't work due to an unsupport call apparently. Here's my hifnstats: input 476104224 bytes 1527365 packets output 476104224 bytes 1527365 packets invalid 0 nomem 0 abort 0 noirq 0 unaligned 0 totbatch 0 maxbatch 0 nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 Since I can't run any test utils through the card, I can only assume this is from actual code running on the card. I'm running freebsd 4.9-stable. -Andrew On Wed, Apr 14, 2004 at 11:10:02PM -0400, mike@sentex.net wrote 2.5K bytes in 62 lines about: : : Someone with the time, knowledge and perhaps funding to fix it. It would be : nice too if someone with a Soekris 1401 or 7556 based card on FreeBSD or : OpenBSD could duplicate my results just to confirm its not a bad batch of 3 : cards that I have : : ---Mike : : At 11:03 PM 14/04/2004, andy@lewman.com wrote: : >Ok, so what exactly needs to be done to get full hifn support working in : >4.x/5.x? : > : >I seem to have lost the original train of thought here. : > : >-Andrew : > : >On Tue, Apr 13, 2004 at 02:19:43PM -0400, mwlucas@blackhelicopters.org : >wrote 1.5K bytes in 37 lines about: : >: On Thu, Apr 08, 2004 at 05:18:33PM +0200, Poul-Henning Kamp wrote: : >: > In message : ><20040408144322.GA83448@bewilderbeast.blackhelicopters.org>, "Michae : >: > l W. Lucas" writes: : >: > >On Thu, Apr 08, 2004 at 04:28:37PM +0200, Poul-Henning Kamp wrote: : >: > >> >>Look at VPN14x1 from www.soekris.com, it's darn cheap too. : >: > > : >: > >Thanks, phk! : >: > > : >: > >For $79, it's cheap enough that I could put a whole stack of them in a : >: > >machine. Can FreeBSD take advantage of multiple cards like that? : >: > : >: > I think so, but I am not sure the code currently does load-sharing : >: > or just "try to find a card which can do this job" sharing. : >: > : >: > Maybe sam@ would know, you should probably ask him. : >: : >: OK, for the record I asked sam@. He says that the VPN1401 has issues : >: for (at a minimum) symmetric crypto ops, but he hasn't had time to : >: investigate and doesn't own a 1401, so... : >: : >: He also says that he considers the Broadcom 582x is the best : >: accelerator available, except that it isn't available retail. :-( : >: : >: So, it looks like my choices are rapidly narrowing. It seems that the : >: powercrypt cards are well-supported, perhaps I'll give them a call. : >: : >: ==ml : >: : >: -- : >: Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org : >: "I'm sorry, but 'Social Darwinism' is no excuse for killing all of : >: your co-workers." -- Ivan Brunetti : >: http://www.BlackHelicopters.org/~mwlucas/ : >: _______________________________________________ : >: freebsd-security@freebsd.org mailing list : >: http://lists.freebsd.org/mailman/listinfo/freebsd-security : >: To unsubscribe, send any mail to : >"freebsd-security-unsubscribe@freebsd.org" : > : >-- : >_______________________________________________ : >freebsd-security@freebsd.org mailing list : >http://lists.freebsd.org/mailman/listinfo/freebsd-security : >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- From owner-freebsd-security@FreeBSD.ORG Thu Apr 15 08:34:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3691E16A4CE for ; Thu, 15 Apr 2004 08:34:56 -0700 (PDT) Received: from smtp3b.sentex.ca (smtp3b.sentex.ca [205.211.164.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90C0843D46 for ; Thu, 15 Apr 2004 08:34:55 -0700 (PDT) (envelope-from mike@sentex.net) Received: from avscan1.sentex.ca (avscan1.sentex.ca [199.212.134.11]) by smtp3b.sentex.ca (8.12.11/8.12.11) with ESMTP id i3FFYtJb034294; Thu, 15 Apr 2004 11:34:55 -0400 (EDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan1.sentex.ca (8.12.10/8.12.10) with ESMTP id i3FFYs3x011944; Thu, 15 Apr 2004 11:34:54 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id i3FFYrb4018866; Thu, 15 Apr 2004 11:34:53 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.3.0.0.20040415105459.0477f488@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Thu, 15 Apr 2004 11:05:30 -0400 To: andy@lewman.com From: Mike Tancsa In-Reply-To: <20040415145148.GA99338@phobos.osem.com> References: <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> <26486.1081437513@critter.freebsd.dk> <20040413181943.GA55219@bewilderbeast.blackhelicopters.org> <20040415030319.GA71038@phobos.osem.com> <6.0.3.0.0.20040414230754.07d7cf18@209.112.4.2> <20040415145148.GA99338@phobos.osem.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new cc: freebsd-security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 15:34:56 -0000 At 10:51 AM 15/04/2004, andy@lewman.com wrote: >hifnstats shows decent amounts of traffic through it (at least >interrupts) however cryptokeytest doesn't work due to an unsupport call >apparently. > >Here's my hifnstats: > >input 476104224 bytes 1527365 packets >output 476104224 bytes 1527365 packets But is that your ssh session that is being accelerated ? To test, login via the console, or login using blowfish as the cipher. Then run hifnstats and make sure that the packet counters are not incrementing. Then do your https test. ---Mike From owner-freebsd-security@FreeBSD.ORG Thu Apr 15 09:11:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 918F216A4CE for ; Thu, 15 Apr 2004 09:11:55 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51B8D43D1F for ; Thu, 15 Apr 2004 09:11:55 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id F283D54846 for ; Thu, 15 Apr 2004 11:11:54 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 943536D455; Thu, 15 Apr 2004 11:11:54 -0500 (CDT) Date: Thu, 15 Apr 2004 11:11:54 -0500 From: "Jacques A. Vidrine" To: security@FreeBSD.org Message-ID: <20040415161154.GA1344@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i Subject: Testing redirection of security@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 16:11:55 -0000 postmaster@ reports that is now an alias for the secteam list. -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-security@FreeBSD.ORG Thu Apr 15 11:03:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6847516A4CE for ; Thu, 15 Apr 2004 11:03:21 -0700 (PDT) Received: from phobos.osem.com (phobos.osem.com [66.92.67.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FA4B43D2D for ; Thu, 15 Apr 2004 11:03:18 -0700 (PDT) (envelope-from andy@lewman.com) Received: by phobos.osem.com (Postfix, from userid 1001) id C8F8D222; Thu, 15 Apr 2004 14:03:17 -0400 (EDT) Date: Thu, 15 Apr 2004 14:03:17 -0400 From: andy@lewman.com To: Mike Tancsa Message-ID: <20040415180317.GA2357@phobos.osem.com> References: <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> <26486.1081437513@critter.freebsd.dk> <20040413181943.GA55219@bewilderbeast.blackhelicopters.org> <20040415030319.GA71038@phobos.osem.com> <6.0.3.0.0.20040414230754.07d7cf18@209.112.4.2> <20040415145148.GA99338@phobos.osem.com> <6.0.3.0.0.20040415105459.0477f488@209.112.4.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.3.0.0.20040415105459.0477f488@209.112.4.2> User-Agent: Mutt/1.4.2.1i X-phase_of_moon: The Moon is Waning Crescent (15% of Full) cc: freebsd-security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 18:03:21 -0000 Yes, it appears to be both ssh and apache w/ssl. Here's ssh alone, from console, with single session login with rsa key: phobos# apachectl stop phobos# ./hifnstats input 485139168 bytes 1563934 packets output 485139168 bytes 1563934 packets invalid 0 nomem 0 abort 0 noirq 0 unaligned 0 totbatch 0 maxbatch 0 nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 phobos# ./hifnstats input 485141328 bytes 1563962 packets output 485141328 bytes 1563962 packets invalid 0 nomem 0 abort 0 noirq 0 unaligned 0 totbatch 0 maxbatch 0 nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 with ssh stopped, apache2 w/ssl hitting an ssl enabled site on the server: phobos# ./hifnstats input 485226224 bytes 1565175 packets output 485226224 bytes 1565175 packets invalid 0 nomem 0 abort 0 noirq 0 unaligned 0 totbatch 0 maxbatch 0 nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 phobos# ./hifnstats input 485232512 bytes 1565205 packets output 485232512 bytes 1565205 packets invalid 0 nomem 0 abort 0 noirq 0 unaligned 0 totbatch 0 maxbatch 0 nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 And for the heck of it, here's my crypto stats, but this doesn't mean it's going through the card; if i'm understanding it correctly. ./cryptostats 1565690 symmetric crypto ops (0 errors, 0 times driver blocked) 5 key ops (5 errors, 0 times driver blocked) 0 crypto dispatch thread activations 5 crypto return thread activations On Thu, Apr 15, 2004 at 11:05:30AM -0400, mike@sentex.net wrote 0.5K bytes in 16 lines about: : At 10:51 AM 15/04/2004, andy@lewman.com wrote: : >hifnstats shows decent amounts of traffic through it (at least : >interrupts) however cryptokeytest doesn't work due to an unsupport call : >apparently. : > : >Here's my hifnstats: : > : >input 476104224 bytes 1527365 packets : >output 476104224 bytes 1527365 packets : : But is that your ssh session that is being accelerated ? To test, login : via the console, or login using blowfish as the cipher. Then run hifnstats : and make sure that the packet counters are not incrementing. Then do your : https test. : : ---Mike -- From owner-freebsd-security@FreeBSD.ORG Thu Apr 15 11:05:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1CFE16A4CE for ; Thu, 15 Apr 2004 11:05:19 -0700 (PDT) Received: from phobos.osem.com (phobos.osem.com [66.92.67.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E81E43D46 for ; Thu, 15 Apr 2004 11:05:19 -0700 (PDT) (envelope-from andy@lewman.com) Received: by phobos.osem.com (Postfix, from userid 1001) id E380E222; Thu, 15 Apr 2004 14:05:18 -0400 (EDT) Date: Thu, 15 Apr 2004 14:05:18 -0400 From: andy@lewman.com To: Mike Tancsa Message-ID: <20040415180518.GA46433@phobos.osem.com> References: <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> <26486.1081437513@critter.freebsd.dk> <20040413181943.GA55219@bewilderbeast.blackhelicopters.org> <20040415030319.GA71038@phobos.osem.com> <6.0.3.0.0.20040414230754.07d7cf18@209.112.4.2> <20040415145148.GA99338@phobos.osem.com> <6.0.3.0.0.20040415105459.0477f488@209.112.4.2> <20040415180317.GA2357@phobos.osem.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040415180317.GA2357@phobos.osem.com> User-Agent: Mutt/1.4.2.1i X-phase_of_moon: The Moon is Waning Crescent (15% of Full) cc: freebsd-security@freebsd.org Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 18:05:19 -0000 Of course, after I send this, I realize I'm using aes-128 on the ssh side. Sorry, I can't reconfig the sshd right now, but will try later on tonight. -Andrew On Thu, Apr 15, 2004 at 02:03:17PM -0400, andy@lewman.com wrote 2.3K bytes in 76 lines about: : Yes, it appears to be both ssh and apache w/ssl. : : Here's ssh alone, from console, with single session login with rsa key: : : phobos# apachectl stop : phobos# ./hifnstats : input 485139168 bytes 1563934 packets : output 485139168 bytes 1563934 packets : invalid 0 nomem 0 abort 0 : noirq 0 unaligned 0 : totbatch 0 maxbatch 0 : nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 : : phobos# ./hifnstats : input 485141328 bytes 1563962 packets : output 485141328 bytes 1563962 packets : invalid 0 nomem 0 abort 0 : noirq 0 unaligned 0 : totbatch 0 maxbatch 0 : nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 : : with ssh stopped, apache2 w/ssl hitting an ssl enabled site on the : server: : : phobos# ./hifnstats : input 485226224 bytes 1565175 packets : output 485226224 bytes 1565175 packets : invalid 0 nomem 0 abort 0 : noirq 0 unaligned 0 : totbatch 0 maxbatch 0 : nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 : : : : phobos# ./hifnstats : input 485232512 bytes 1565205 packets : output 485232512 bytes 1565205 packets : invalid 0 nomem 0 abort 0 : noirq 0 unaligned 0 : totbatch 0 maxbatch 0 : nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0 : : And for the heck of it, here's my crypto stats, but this doesn't mean : it's going through the card; if i'm understanding it correctly. : : ./cryptostats : 1565690 symmetric crypto ops (0 errors, 0 times driver blocked) : 5 key ops (5 errors, 0 times driver blocked) : 0 crypto dispatch thread activations : 5 crypto return thread activations : : : On Thu, Apr 15, 2004 at 11:05:30AM -0400, mike@sentex.net wrote 0.5K bytes in 16 lines about: : : At 10:51 AM 15/04/2004, andy@lewman.com wrote: : : >hifnstats shows decent amounts of traffic through it (at least : : >interrupts) however cryptokeytest doesn't work due to an unsupport call : : >apparently. : : > : : >Here's my hifnstats: : : > : : >input 476104224 bytes 1527365 packets : : >output 476104224 bytes 1527365 packets : : : : But is that your ssh session that is being accelerated ? To test, login : : via the console, or login using blowfish as the cipher. Then run hifnstats : : and make sure that the packet counters are not incrementing. Then do your : : https test. : : : : ---Mike : : -- : : _______________________________________________ : freebsd-security@freebsd.org mailing list : http://lists.freebsd.org/mailman/listinfo/freebsd-security : To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- From owner-freebsd-security@FreeBSD.ORG Thu Apr 15 12:14:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 964CF16A4F1; Thu, 15 Apr 2004 12:14:14 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 878FC43D39; Thu, 15 Apr 2004 12:14:14 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) i3FJEEbv004442; Thu, 15 Apr 2004 12:14:14 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i3FJEEU1004440; Thu, 15 Apr 2004 12:14:14 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Thu, 15 Apr 2004 12:14:14 -0700 (PDT) Message-Id: <200404151914.i3FJEEU1004440@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-04:07.cvs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 19:14:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:07.cvs Security Advisory The FreeBSD Project Topic: CVS path validation errors Category: contrib Module: contrib_cvs Announced: 2004-04-15 Credits: Sebastian Krahmer Derek Robert Price Affects: All FreeBSD versions prior to 4.10-RELEASE Corrected: 2004-04-15 15:35:26 UTC (RELENG_4, 4.10-BETA) 2004-04-15 15:42:50 UTC (RELENG_5_2, 5.2.1-RELEASE-p5) 2004-04-15 15:59:05 UTC (RELENG_4_9, 4.9-RELEASE-p18) 2004-04-15 15:59:54 UTC (RELENG_4_8, 4.8-RELEASE-p5) CVE Name: CAN-2004-0180 FreeBSD only: NO For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Concurrent Versions System (CVS) is a version control system. It may be used to access a repository locally, or to access a `remote repository' using a number of different methods. When accessing a remote repository, the target machine runs the CVS server to fulfill client requests. II. Problem Description Two programming errors were discovered in which path names handled by CVS were not properly validated. In one case, the CVS client accepts absolute path names from the server when determining which files to update. In another case, the CVS server accepts relative path names from the client when determining which files to transmit, including those containing references to parent directories (`../'). III. Impact These programming errors generally only have a security impact when dealing with remote CVS repositories. A malicious CVS server may cause a CVS client to overwrite arbitrary files on the client's system. A CVS client may request RCS files from a remote system other than those in the repository specified by $CVSROOT. These RCS files need not be part of any CVS repository themselves. IV. Workaround Disable remote CVS repository operations. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_2, RELENG_4_9, or RELENG_4_8 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.8, 4.9, 5.1, and 5.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:07/cvs.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:07/cvs.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/cvs # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/contrib/cvs/src/client.c 1.2.2.7 src/contrib/cvs/src/modules.c 1.1.1.5.2.4 RELENG_5_2 src/UPDATING 1.282.2.13 src/sys/conf/newvers.sh 1.56.2.12 src/contrib/cvs/src/client.c 1.10.4.1 src/contrib/cvs/src/modules.c 1.1.1.8.6.2 RELENG_4_9 src/UPDATING 1.73.2.89.2.6 src/sys/conf/newvers.sh 1.44.2.32.2.6 src/contrib/cvs/src/client.c 1.2.2.6.4.1 src/contrib/cvs/src/modules.c 1.1.1.5.2.3.4.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.21 src/sys/conf/newvers.sh 1.44.2.29.2.19 src/contrib/cvs/src/client.c 1.2.2.6.2.1 src/contrib/cvs/src/modules.c 1.1.1.5.2.3.2.1 - ------------------------------------------------------------------------- VII. References http://ccvs.cvshome.org/servlets/NewsItemView?newsID=102 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAft2oFdaIBMps37IRAm4uAKCU/QlA4N1hKaTdk3gCCfv0JHB1DQCfe7zf /ykriUr0/2wxi+lK17lQJl0= =mNSU -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Apr 15 13:31:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A589016A4CE for ; Thu, 15 Apr 2004 13:31:58 -0700 (PDT) Received: from web60708.mail.yahoo.com (web60708.mail.yahoo.com [216.109.117.231]) by mx1.FreeBSD.org (Postfix) with SMTP id 23D8143D31 for ; Thu, 15 Apr 2004 13:31:58 -0700 (PDT) (envelope-from gillsr@yahoo.com) Message-ID: <20040415203157.44002.qmail@web60708.mail.yahoo.com> Received: from [24.14.141.106] by web60708.mail.yahoo.com via HTTP; Thu, 15 Apr 2004 13:31:57 PDT Date: Thu, 15 Apr 2004 13:31:57 -0700 (PDT) From: Stephen Gill To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Policy routing with IPFW X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 20:31:58 -0000 Hi There, I've been having an issue trying to figure out a way to policy route outbound packets from a multihomed machine through the proper interface using IPFW to no avail. I've tried several different incantations of IPFW fwd/forward statements, and none of them seem to do the trick. Basically, I have a host that has multiple Internet connections. This host is running FreeBSD 4.9 with the proper Kernel mods in place. I have a single default route. I would like to add rules to my ipfw firewall policy that would do the following: - All traffic sourced from Interface 1 (dc0) should go out gateway 1 - All traffic sourced from Interface 2 (dc1) should go out gateway 2 - All traffic destined to Interface 1 (dc0) should return out gateway 1 - All traffic destined to Interface 2 (dc1) should return out gateway 2 Gateway 1 is on dc0 and Gateway 2 is on dc1. I think you get the picture. Is this type of thing possible with IPFW? If not, is there any other module that would allow me to do this? I don't care how ugly it gets, just so long as it works. Thanks in advance, -- steve __________________________________ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html From owner-freebsd-security@FreeBSD.ORG Thu Apr 15 14:22:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A63BD16A4CE for ; Thu, 15 Apr 2004 14:22:42 -0700 (PDT) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C62743D4C for ; Thu, 15 Apr 2004 14:22:42 -0700 (PDT) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.9/8.12.5) with ESMTP id i3FLMfdT026882; Thu, 15 Apr 2004 15:22:41 -0600 (MDT) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.9/8.12.5/Submit) id i3FLMfdb026881; Thu, 15 Apr 2004 15:22:41 -0600 (MDT) Date: Thu, 15 Apr 2004 15:22:41 -0600 From: "David G. Andersen" To: Stephen Gill Message-ID: <20040415152241.A26751@cs.utah.edu> References: <20040415203157.44002.qmail@web60708.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20040415203157.44002.qmail@web60708.mail.yahoo.com>; from gillsr@yahoo.com on Thu, Apr 15, 2004 at 01:31:57PM -0700 cc: freebsd-security@freebsd.org Subject: Re: Policy routing with IPFW X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 21:22:42 -0000 Stephen Gill just mooed: > following: > > - All traffic sourced from Interface 1 (dc0) should go out gateway 1 > - All traffic sourced from Interface 2 (dc1) should go out gateway 2 > - All traffic destined to Interface 1 (dc0) should return out gateway 1 > - All traffic destined to Interface 2 (dc1) should return out gateway 2 > > Gateway 1 is on dc0 and Gateway 2 is on dc1. I think you get the > picture. > > Is this type of thing possible with IPFW? If not, is there any other > module that would allow me to do this? I don't care how ugly it gets, > just so long as it works. sure. options IPFIREWALL options IPFIREWALL_FORWARD As an example from a running system: 00100 allow ip from any to any via lo0 00500 allow ip from IP1 to IP1/IP1-netmask 00501 fwd IP1-GW ip from IP1 to any 00600 allow ip from IP2 to IP2/IP2-netmask 00601 fwd IP2-GW ip from IP2 to any (where IP1-GW and IP2-GW are the next-hop routers for each interface, obviously). Works like a charm - I've got it running on quite a few machines. The only downside to it sometimes is that you have to write some script wrappers around things to get dynamic updates (e.g., ppp linkup scripts or dhcpd.conf running external scripts on route changes). -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me. From owner-freebsd-security@FreeBSD.ORG Thu Apr 15 15:39:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CEAB16A4D0 for ; Thu, 15 Apr 2004 15:39:47 -0700 (PDT) Received: from web60707.mail.yahoo.com (web60707.mail.yahoo.com [216.109.117.230]) by mx1.FreeBSD.org (Postfix) with SMTP id A3B3443D64 for ; Thu, 15 Apr 2004 15:39:46 -0700 (PDT) (envelope-from gillsr@yahoo.com) Message-ID: <20040415223945.40958.qmail@web60707.mail.yahoo.com> Received: from [24.14.141.106] by web60707.mail.yahoo.com via HTTP; Thu, 15 Apr 2004 15:39:45 PDT Date: Thu, 15 Apr 2004 15:39:45 -0700 (PDT) From: Stephen Gill To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: RE: Policy routing with IPFW X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 22:39:47 -0000 Hi David, Well, that might be a half a step closer... I just tried this combination with a 50% success rate :). Inbound connections work quite well, but connections originating from the box itself do not work. Any ideas as to how to make this rulebase work with policy routing for outbound connections as well? I think it is interfering with the dynamic rules. ICMP appears to work, but that is all. I would like to still use the dynamic capabilites of stateful filtering if possible. Here's the sample rulebase script: [ ... ] fwcmd="/sbin/ipfw -q" IP1="10.0.0.2" IP1-GW="10.0.0.1" IP2="10.1.0.2" IP2-GW="10.0.0.1" IP1-NET="10.0.0.0/24" IP2-NET="10.1.0.0/24" # Reset all rules in case script run multiple times ${fwcmd} -f flush # Allow all via loopback to loopback ${fwcmd} add 50 allow all from any to any via lo0 # POLICY ROUTING ${fwcmd} add 095 allow ip from ${IP1} to ${IP1-NET} ${fwcmd} add 100 fwd ${IP1-GW} ip from ${IP1} to any ${fwcmd} add 110 allow ip from ${IP2} to ${IP2-NET} ${fwcmd} add 115 fwd ${IP2-FW} ip from ${IP2} to any # POLICIES ${fwcmd} add 200 check-state # Allow from me to anywhere ${fwcmd} add 240 allow tcp from me to any setup keep-state ${fwcmd} add 260 allow udp from me to any keep-state ${fwcmd} add 280 allow icmp from me to any # Allow INCOMING DNS ${fwcmd} add 310 allow log udp from any to me 53 in keep-state # Allow INCOMING SSH from mynetwork ${fwcmd} add 320 allow log tcp from ${IP1-NET} to me 22 in setup keep-state # Disable icmp other than the "safe" subset ${fwcmd} add 370 allow icmp from any to any icmptype 0,3,8,11 # Block all other traffic and log in ${fwcmd} add 65534 deny log logamount 0 all from any to any [ ... ] -- steve -----Original Message----- From: David G. Andersen [mailto:danderse@cs.utah.edu] Sent: Thursday, April 15, 2004 4:23 PM To: Stephen Gill Cc: freebsd-security@freebsd.org Subject: Re: Policy routing with IPFW Stephen Gill just mooed: > following: > > - All traffic sourced from Interface 1 (dc0) should go out gateway 1 > - All traffic sourced from Interface 2 (dc1) should go out gateway 2 > - All traffic destined to Interface 1 (dc0) should return out gateway 1 > - All traffic destined to Interface 2 (dc1) should return out gateway 2 > > Gateway 1 is on dc0 and Gateway 2 is on dc1. I think you get the > picture. > > Is this type of thing possible with IPFW? If not, is there any other > module that would allow me to do this? I don't care how ugly it gets, > just so long as it works. sure. options IPFIREWALL options IPFIREWALL_FORWARD As an example from a running system: 00100 allow ip from any to any via lo0 00500 allow ip from IP1 to IP1/IP1-netmask 00501 fwd IP1-GW ip from IP1 to any 00600 allow ip from IP2 to IP2/IP2-netmask 00601 fwd IP2-GW ip from IP2 to any (where IP1-GW and IP2-GW are the next-hop routers for each interface, obviously). Works like a charm - I've got it running on quite a few machines. The only downside to it sometimes is that you have to write some script wrappers around things to get dynamic updates (e.g., ppp linkup scripts or dhcpd.conf running external scripts on route changes). -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me. __________________________________ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html From owner-freebsd-security@FreeBSD.ORG Fri Apr 16 09:32:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A0C516A4CE for ; Fri, 16 Apr 2004 09:32:43 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCA3B43D53 for ; Fri, 16 Apr 2004 09:32:42 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))verified)) by gw.celabo.org (Postfix) with ESMTP id 714DD5485D for ; Fri, 16 Apr 2004 11:32:42 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 172A76D455; Fri, 16 Apr 2004 11:32:42 -0500 (CDT) Date: Fri, 16 Apr 2004 11:32:42 -0500 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20040416163241.GA49780@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org References: <20040407154220.GA5651@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040407154220.GA5651@madman.celabo.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i Subject: HEADS UP Re: Changing `security@freebsd.org' alias X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2004 16:32:43 -0000 Hello again, The change discussed earlier has been made. Email to now reaches the security team rather than any public list. If you find any references to as a public list, please let me know. It appears that there were none on the web site or handbook or FAQ, but there could be some I missed. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org On Wed, Apr 07, 2004 at 10:42:20AM -0500, Jacques A. Vidrine wrote: > Hello Folks, > > The official email address for this list is > `freebsd-security@freebsd.org'. Due to convention, there is an email > alias for this list: security@freebsd.org, just as there is for > hackers@ & freebsd-hackers@, arch@ & freebsd-arch@, and so on. > > The security@freebsd.org alias has been the source of occassional > problems. Several times in the past, postings have been made to that > address under the assumption that address was directed to security > response personnnel, and not a public mailing list. Of course, this > was a reasonable assumption. Practically every vendor in the universe > uses security@ for that purpose, largely because RFC 2142 strongly > recommends it for that purpose. > > And sometimes one just makes a typo. It has not been > too uncommon for people to forget the `-officer' part of > `security-officer@freebsd.org'. (Yours truly has been guilty of > this.) > > Mistaken early disclosure of a vulnerability can have consequences > from the merely embarrasing to catastrophic. Therefore, I am > proposing that `security@freebsd.org' be re-routed to the Security > Officer. > > I imagine this will have some significant impact: there must be > many references to security@freebsd.org as a public list out there. > So, I thought I'd air the issue here before sending any request to > postmaster@. > > Cheers, > -- > Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Fri Apr 16 13:30:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E72E016A4CE for ; Fri, 16 Apr 2004 13:30:19 -0700 (PDT) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98A3643D48 for ; Fri, 16 Apr 2004 13:30:19 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-187-112.client.comcast.net[24.6.187.112]) by comcast.net (sccrmhc12) with ESMTP id <20040416203016012001dvv3e>; Fri, 16 Apr 2004 20:30:16 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id i3GKUebM009847; Fri, 16 Apr 2004 13:30:41 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id i3GKUe6D009846; Fri, 16 Apr 2004 13:30:40 -0700 (PDT) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Fri, 16 Apr 2004 13:30:40 -0700 From: "Crist J. Clark" To: Stephen Gill Message-ID: <20040416203040.GA9729@blossom.cjclark.org> References: <20040415223945.40958.qmail@web60707.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040415223945.40958.qmail@web60707.mail.yahoo.com> User-Agent: Mutt/1.4.2.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-security@freebsd.org Subject: Re: Policy routing with IPFW X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2004 20:30:20 -0000 On Thu, Apr 15, 2004 at 03:39:45PM -0700, Stephen Gill wrote: > Hi David, > > Well, that might be a half a step closer... I just tried this > combination with a 50% success rate :). Inbound connections work quite > well, but connections originating from the box itself do not work. > Any ideas as to how to make this rulebase work with policy routing for > outbound connections as well? > > I think it is interfering with the dynamic rules. ICMP appears to > work, but that is all. I would like to still use the dynamic > capabilites of stateful filtering if possible. That is a problem with your setup since 'fwd' rules match and exit. So what happens is, > # POLICY ROUTING > ${fwcmd} add 095 allow ip from ${IP1} to ${IP1-NET} > ${fwcmd} add 100 fwd ${IP1-GW} ip from ${IP1} to any Packets match here and go out. > ${fwcmd} add 110 allow ip from ${IP2} to ${IP2-NET} > ${fwcmd} add 115 fwd ${IP2-FW} ip from ${IP2} to any Or match here and go out. Which means they never reached these: > # Allow from me to anywhere > ${fwcmd} add 240 allow tcp from me to any setup keep-state > ${fwcmd} add 260 allow udp from me to any keep-state > ${fwcmd} add 280 allow icmp from me to any This also will mess with stateful connections (TCP) coming in since the responses never get seen by the dynamic rules. For incoming connections, using dynamic rules is actually bad for security in the first place, so dropping that is not a problem. For the outgoing traffic... problem. $fwcmd add fwd ${IP1-GW} tcp from me to any setup keep-state Won't work since applying a 'fwd' to the returning traffic is a bad idea (routing loop). -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-security@FreeBSD.ORG Fri Apr 16 15:39:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45FF316A4CE for ; Fri, 16 Apr 2004 15:39:30 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [66.180.195.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8FED43D55 for ; Fri, 16 Apr 2004 15:39:29 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 1664 invoked by uid 1000); 16 Apr 2004 22:39:29 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Apr 2004 22:39:29 -0000 Date: Fri, 16 Apr 2004 15:39:29 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: freebsd-security@freebsd.org In-Reply-To: <20040415180518.GA46433@phobos.osem.com> Message-ID: <20040416153835.K45935@walter> References: <20040408144322.GA83448@bewilderbeast.blackhelicopters.org> <20040413181943.GA55219@bewilderbeast.blackhelicopters.org> <6.0.3.0.0.20040414230754.07d7cf18@209.112.4.2> <6.0.3.0.0.20040415105459.0477f488@209.112.4.2> <20040415180518.GA46433@phobos.osem.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2004 22:39:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > For $79, it's cheap enough that I could put a whole stack of them in a > machine. Can FreeBSD take advantage of multiple cards like that? another question is, is there logic, either in the driver or in openssl, to notice if crypto operations are getting backed up waiting for the crypto card while the main cpu is idle and, in that case, to start doing the crypto on the main cpu rather than on the crypto card? in other words, if the main cpu is actually way faster than the crypto card, is it possible that the crypto card could actually _slow_ crypto operations on that system? last time I checked, the stats on the cheap soekris cards were way slower than the output of "openssl speed" run on my system during normal load.... -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFAgGChswXMWWtptckRAsgbAJ0VkMFfr7vVmz4hYAv0Eiq4K8uKEQCfZVqE J8GeGq8xwykfc05xGdDcZek= =0elQ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Apr 16 16:58:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7870416A4CE for ; Fri, 16 Apr 2004 16:58:16 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [66.180.195.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F71A43D54 for ; Fri, 16 Apr 2004 16:58:16 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 21892 invoked by uid 1000); 16 Apr 2004 23:58:10 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Apr 2004 23:58:10 -0000 Date: Fri, 16 Apr 2004 16:58:10 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: freebsd-security@freebsd.org In-Reply-To: <02cf01c42405$39a33450$4102a8c0@home> Message-ID: <20040416163109.S45935@walter> References: <20040408144322.GA83448@bewilderbeast.blackhelicopters.org><20040413181943.GA55219@bewilderbeast.blackhelicopters.org><6.0.3.0.0.20040414230754.07d7cf18@209.112.4.2><6.0.3.0.0.20040415105459.0477f488@209.112.4.2><20040415180518.GA46433@phobos.osem.com> <20040416153835.K45935@walter> <02cf01c42405$39a33450$4102a8c0@home> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: recommended SSL-friendly crypto accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2004 23:58:16 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > | last time I checked, the stats on the cheap soekris cards were way slower > | than the output of "openssl speed" run on my system during normal load.... > > where are you referencing your stats from? Oh, sorry - I don't have one of these cards - I'm comparing the stats published on the soekris website (eg, http://soekris.com/vpn1201.htm) with the output of "openssl speed" on the box that I was considering putting the card into. eg, that pages says, "Encryption, DES, Triple-DES and RC4 at 70 to 188 Mbps" so let's assume that it will do rc4 at 188Mbit/s = 24Mbyte/s. now, running openssl speed on this p4-2.4Ghz yields: type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes rc4 66834.42k 88726.02k 91202.39k 91817.64k 91742.21k so we see that even at the smallest blocksize, openssl on this cpu is encrypting at 67Mbyte/s, and, at very large blocksizes, 92Mbyte/s - this is roughly three to four times faster than the hardware card. so, assuming that I haven't completely misinterpretted here, my question is, will either openssl or the kernel driver realize that the card is slower here and do the crypto on my main cpu while the cpu is not loaded? -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFAgHMSswXMWWtptckRAkQYAKDsat2vO1jKX6+19PcXpyD5X3X/1gCeJIO0 wjRsYJ5/ql/NWiUh/EP/F4A= =UBZ2 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sat Apr 17 07:27:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41D6416A4CE for ; Sat, 17 Apr 2004 07:27:23 -0700 (PDT) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66AF143D31 for ; Sat, 17 Apr 2004 07:27:22 -0700 (PDT) (envelope-from z3l3zt@hackunite.net) Received: from mail.hackunite.net ([213.112.193.67] [213.112.193.67]) by mxfep02.bredband.com with SMTP <20040417142721.IUOK28534.mxfep02.bredband.com@mail.hackunite.net> for ; Sat, 17 Apr 2004 16:27:21 +0200 Received: from 213.112.193.35 (SquirrelMail authenticated user z3l3zt@hackunite.net) by mail.hackunite.net with HTTP; Sat, 17 Apr 2004 16:28:35 +0200 (CEST) Message-ID: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net> Date: Sat, 17 Apr 2004 16:28:35 +0200 (CEST) From: z3l3zt@hackunite.net To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: Is log_in_vain really good or really bad? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Apr 2004 14:27:23 -0000 Heya.. Yesterday someone "attacked" by box by connection to several ports.. In other words, a simple portscan.. yet, since my box has "log_in_vain" enabled, so it tries to log everything to /var/log/messages, since the logfile got full and the size went over 100K, it tried to rotate the log to save diskspace. (Apr 16 21:00:00 omikron newsyslog[32137]: logfile turned over due to size>100K) My server box is a Intel Celeron 733Mhz, 384Mb of RAM.. yet it's slow from time to time since I only run ATA66 due to the old motherboard. When this "attack" occured yesterday, the box almost died and the box were working 100%.. all users who were logged in got "spammed" since the default *.emerg in /etc/syslog.conf is set to "*" .. Isn't this a quite simple way of making a DoS attack against a system? My box is running on 10mbit and the person who scanned my server were connecting from a cable connection.. Someone (even with lower bandwidth) can simply portscan a box with "log_in_vain" enabled and the box will go crazy trying to log/store it? Also, I'm not sure if it was a "general" portscan since the "blackhole" mostly slow down those quite much.. but since this had about 30-40 connections per second, it was a quite aggressive scan. I would be glad if anyone could tell me how to solve this and/or how to make sure it doesn't happen again. Regards, Jesper 'Z3l3zT' Wallin From owner-freebsd-security@FreeBSD.ORG Sat Apr 17 08:28:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04BEA16A4CE for ; Sat, 17 Apr 2004 08:28:32 -0700 (PDT) Received: from corb.mc.mpls.visi.com (corb.mc.mpls.visi.com [208.42.156.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id B133443D2F for ; Sat, 17 Apr 2004 08:28:31 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by corb.mc.mpls.visi.com (Postfix) with ESMTP id EDFB7863C; Sat, 17 Apr 2004 10:28:30 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id i3HFSUo58980; Sat, 17 Apr 2004 10:28:30 -0500 (CDT) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Sat, 17 Apr 2004 10:28:30 -0500 From: D J Hawkey Jr To: z3l3zt@hackunite.net Message-ID: <20040417152830.GA58923@sheol.localdomain> References: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Is log_in_vain really good or really bad? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Apr 2004 15:28:32 -0000 On Apr 17, at 04:28 PM, z3l3zt@hackunite.net wrote: > > Heya.. > > Yesterday someone "attacked" by box by connection to several ports.. In > other words, a simple portscan.. yet, since my box has "log_in_vain" > enabled, so it tries to log everything to /var/log/messages, since the > logfile got full and the size went over 100K, it tried to rotate the log > to save diskspace. > > (Apr 16 21:00:00 omikron newsyslog[32137]: logfile turned over due to > size>100K) > > My server box is a Intel Celeron 733Mhz, 384Mb of RAM.. yet it's slow from > time to time since I only run ATA66 due to the old motherboard. When this > "attack" occured yesterday, the box almost died and the box were working > 100%.. all users who were logged in got "spammed" since the default > *.emerg in /etc/syslog.conf is set to "*" .. If you're running a relatively slow bus, chances are you could (maybe even "have"?) experienced this already by a completely different set of circumstances, but didn't put it together? > Isn't this a quite simple way of making a DoS attack against a system? My > box is running on 10mbit and the person who scanned my server were > connecting from a cable connection... > [SNIP] Assuming the attacker knew you had a slower bus, were running FreeBSD, had log_in_vain turned on, and ... ? > I would be glad if anyone could tell me how to solve this and/or how to > make sure it doesn't happen again. Seems to me you're hampered by your hardware, and this episode is/was just the latest symptom. Moving /var to another physical drive on a different channel will help. So would tuning /etc/syslog.conf. Of course, so would turning off the log_in_vain knob (though I like it on, too). A new ATA adapter isn't all that expensive anymore, and would boost performance overall. HTH, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Sat Apr 17 08:35:29 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 407FB16A4CE for ; Sat, 17 Apr 2004 08:35:29 -0700 (PDT) Received: from out011.verizon.net (out011pub.verizon.net [206.46.170.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCEC443D5E for ; Sat, 17 Apr 2004 08:35:28 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([68.160.247.127]) by out011.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040417153528.FOM18566.out011.verizon.net@mac.com>; Sat, 17 Apr 2004 10:35:28 -0500 Message-ID: <40814F28.30501@mac.com> Date: Sat, 17 Apr 2004 11:37:12 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040316 X-Accept-Language: en-us, en MIME-Version: 1.0 To: z3l3zt@hackunite.net References: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net> In-Reply-To: <1998.213.112.193.35.1082212115.squirrel@mail.hackunite.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out011.verizon.net from [68.160.247.127] at Sat, 17 Apr 2004 10:35:27 -0500 cc: freebsd-security@freebsd.org Subject: Re: Is log_in_vain really good or really bad? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Apr 2004 15:35:29 -0000 z3l3zt@hackunite.net wrote: > Yesterday someone "attacked" by box by connection to several ports.. In > other words, a simple portscan.. yet, since my box has "log_in_vain" > enabled, so it tries to log everything to /var/log/messages, [ ... ] > Isn't this a quite simple way of making a DoS attack against a system? Certainly turning on log_in_vain makes it easier to DoS a system, but it's possible to perform a DoS against anything if someone tries hard enough. Basicly, log_in_vain can be used to turn a system into a network sensor which tracks incoming connection requests. Normally, one has a firewall in place which blocks the majority of ports used by a port scan, and your sensor only detects the remainder-- ie, what you let through, in addition to any local traffic. Seeing your sensor get horribly busy like you did tends to indicate you're monitoring unfiltered Internet traffic (or your firewall is busted), in which case be prepared to possibly deal with hundreds of thousands of lines of logging per day. Or it indicates an internal machine has been virusized and is scanning the local subnet for other hosts to infect (or someone connecting a laptop to your network, etc). I've been seeing about 500 connection attempts per day per monitored IP address. For what it's worth, you provoked my curiousity enough to see what the last week looks like in terms of a histogram by port #: % zcat /var/log/system.log.*.gz | grep 'TCP.* S' | awk -F: '{print $7}' \ | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -30 20654 1433 4622 4444 4458 445 3451 135 3189 139 2455 80 448 6129 270 3127 140 2745 124 4000 96 21 87 4899 80 1025 79 1080 65 5000 58 3128 41 20168 41 1981 34 25 28 3410 26 36442 23 23 17 22 15 443 13 32772 13 113 7 81 7 8000 6 8080 5 901 -- -Chuck From owner-freebsd-security@FreeBSD.ORG Sat Apr 17 20:10:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A09E516A4CE for ; Sat, 17 Apr 2004 20:10:21 -0700 (PDT) Received: from mx7.roble.com (mx7.roble.com [206.40.34.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DD8843D39 for ; Sat, 17 Apr 2004 20:10:19 -0700 (PDT) (envelope-from marquis@roble.com) Received: by mx7.roble.com (Postfix, from userid 65534) id BC0F0DAE7D; Sat, 17 Apr 2004 20:10:18 -0700 (PDT) Date: Sat, 17 Apr 2004 20:10:17 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20040417190059.06B0316A4F7@hub.freebsd.org> References: <20040417190059.06B0316A4F7@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20040418031017.98ACEDAC11@mx7.roble.com> X-Spam-Level: X-Spam-Status: No, hits=-4.9 required=6.0 tests=BAYES_00 autolearn=no version=2.63 Subject: Re: Is log_in_vain really good or really bad? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Apr 2004 03:10:21 -0000 z3l3zt@hackunite.net wrote: > Yesterday someone "attacked" by box by connection to several ports.. In > other words, a simple portscan.. yet, since my box has "log_in_vain" > enabled, so it tries to log everything to /var/log/messages, since the > logfile got full and the size went over 100K, it tried to rotate the log > to save diskspace. This is hardware problem. Any ATA/SATA disk will suck up CPU with every disk access. The solution is to switch to SCSI. Proper partitioning would also allow you to rotate log files every 10 or 20MB instead of at 100K. For reasons exactly like this I never partition a disk for anything other than swap. If filesystems need to be separated they're put on separate (SCSI) disks. Whether you need log_in_vain or not depend on what you do with the logs. Are you compiling statistics? Running Snort or another IDE? Separating facilities into different files (other than /var/log/messages)? Reading them regularly and often? If you answered no to two or more of these questions then there's probably little to lose by disabling log_in_vain. -- Roger Marquis Roble Systems Consulting http://www.roble.com/