From owner-freebsd-security@FreeBSD.ORG Sun Dec 19 01:33:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CEB916A4CE for ; Sun, 19 Dec 2004 01:33:27 +0000 (GMT) Received: from metafocus.net (sb0-cf9a64a2.dsl.impulse.net [207.154.100.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAB3743D1D for ; Sun, 19 Dec 2004 01:33:26 +0000 (GMT) (envelope-from mudman@metafocus.net) Received: from metafocus.net (localhost [127.0.0.1]) by metafocus.net (8.13.1/8.13.1) with ESMTP id iBJ1Zai6023148; Sat, 18 Dec 2004 17:35:36 -0800 (PST) (envelope-from mudman@metafocus.net) Received: from localhost (mudman@localhost) by metafocus.net (8.13.1/8.13.1/Submit) with ESMTP id iBJ1ZZIS023145; Sat, 18 Dec 2004 17:35:35 -0800 (PST) (envelope-from mudman@metafocus.net) Date: Sat, 18 Dec 2004 17:35:35 -0800 (PST) From: Dave To: Craig Edwards In-Reply-To: <41C41869.5040408@winbot.co.uk> Message-ID: <20041218173044.K23128@metafocus.net> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> <1103354079.16723.6.camel@red.nativenerds.com> <41C41869.5040408@winbot.co.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org cc: estover@nativenerds.com Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 01:33:27 -0000 > You could change the permissions on the su binary, so that only users in the wheel group can even > execute su. that way, when a non-wheel user attempts to su to a user in the wheel group, they simply > get permission denied. This is a really good idea. I decided to try it as root and chmod gave me chmod: su: Operation Not Permitted! The nerve! I'll have to have a look at that more carefully later :) As a side note, I think Bill's point about 2 passwords to break is pretty strong in my point of view. Just for simplicity's sake (in both security and in design), "the su stack" really shouldn't be any larger than 1. No su'ing twice, or N number of times. Hmm, I wonder if there is an option for setting that. I suppose someone might have a purpose to, but if they really need to be doing that, I think they have a problem in their own designs. From owner-freebsd-security@FreeBSD.ORG Sun Dec 19 03:14:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84B0316A4CE for ; Sun, 19 Dec 2004 03:14:28 +0000 (GMT) Received: from stelesys.com (web1.stelesys.com [63.175.100.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B9D943D3F for ; Sun, 19 Dec 2004 03:14:26 +0000 (GMT) (envelope-from jerry@syslog.org) Received: from [127.0.0.1] (helo=www.stelesys.com) by stelesys.com with esmtpa (Exim 4.43 (FreeBSD)) id 1CfrWT-000EYz-2t; Sat, 18 Dec 2004 22:14:17 -0500 Received: from 24.98.86.57 (SquirrelMail authenticated user jerry@syslog.org); by www.stelesys.com with HTTP; Sat, 18 Dec 2004 22:14:17 -0500 (EST) Message-ID: <4916.24.98.86.57.1103426057.squirrel@24.98.86.57> In-Reply-To: <20041218160834.GA76897@wjv.com> References: <20041218120130.C67DC16A4D1@hub.freebsd.org> <20041218160834.GA76897@wjv.com> Date: Sat, 18 Dec 2004 22:14:17 -0500 (EST) From: "Jerry Bell" To: bv@wjv.com User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 03:14:28 -0000 > I do agree with that, espeically the first paragraph " ... no > matter how paranoid your philsophy ..." > > I have had one instance of an attempt was I had missed one machine > out of about 8 applying one security patch. All were patched > within hours, the one that got hit was 2 days later. You have to > get to any patches as soon as the hole becomes known. Really bad things usually happen as a result of a series of small mistakes or oversights. > > And my machines are pretty accessable to the world being on a > backbone. One machine was getting about 300,000 spams/day until > I finally took off all MX for that domain. If anyone has problems > they need to perform a whois and use those contacts. It's one of > those domains whose name alone drives it up the list. > Spammers, IMO, are one of the strongest offenders of system hacking today - they have a real financial interest in getting into your system. > I haven't set the security levels high as that means that any > problems would require driving to the colo - and that's about > 1/2 hour at 3AM - and two to three times higher during the daylight > hours. > If your problem with hardening your system is the need to "be in front of it", there are some ways around it. Probably the most reliable and convenient is a network KVM and network power switch. Sometimes, you can get your colo to provide that for an extra charge, or you can buy it yourself (quite a few choices on ebay these days. It doesn't take many trips to the colo at 12am to make it worthwhile :) Alternatively, most all of the "hardening" can be worked around, such as lowering the security level and rebooting, or using the /usr/share/examples/ipfw/change_rules.sh script for modifying ipfw rules remotely. It certainly isn't as convenient as being at the console, but you can do it, if you're careful. Jerry http://www.syslog.org From owner-freebsd-security@FreeBSD.ORG Sun Dec 19 09:51:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94C3716A4CE for ; Sun, 19 Dec 2004 09:51:23 +0000 (GMT) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A4BB43D3F for ; Sun, 19 Dec 2004 09:51:22 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with esmtpa (Exim 4.43 (FreeBSD)) id 1Cfxks-000G8u-9Y; Sun, 19 Dec 2004 17:53:34 +0800 Message-Id: <6.2.0.14.2.20041219174654.051f1250@202.179.0.80> X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14 Date: Sun, 19 Dec 2004 17:51:02 +0800 To: Dave From: Ganbold In-Reply-To: <20041218173044.K23128@metafocus.net> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> <1103354079.16723.6.camel@red.nativenerds.com> <41C41869.5040408@winbot.co.uk> <20041218173044.K23128@metafocus.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 09:51:23 -0000 At 09:35 AM 12/19/2004, you wrote: > > You could change the permissions on the su binary, so that only users > in the wheel group can even > > execute su. that way, when a non-wheel user attempts to su to a user in > the wheel group, they simply > > get permission denied. > >This is a really good idea. I decided to try it as root and chmod gave me >chmod: su: Operation Not Permitted! The nerve! I'll have to have a look >at that more carefully later :) Yes, I like this idea too. I'll try it for sure. >As a side note, I think Bill's point about 2 passwords to break is pretty >strong in my point of view. Just for simplicity's sake (in both security >and in design), "the su stack" really shouldn't be any larger than 1. No >su'ing twice, or N number of times. That could be useful option too. >Hmm, I wonder if there is an option >for setting that. I suppose someone might have a purpose to, but if they >really need to be doing that, I think they have a problem in their own >designs. Anyway, thanks for all who read my annoying email and responded :) Still I don't know yet how hacker got into the system, but I'll try my best and I hope I will find more in hacked PC in next couple of days. thanks a lot, Ganbold >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sun Dec 19 11:53:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A30FE16A4CE for ; Sun, 19 Dec 2004 11:53:38 +0000 (GMT) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03FAC43D48 for ; Sun, 19 Dec 2004 11:53:38 +0000 (GMT) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 9F5EE5313; Sun, 19 Dec 2004 12:53:36 +0100 (CET) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id E17C7530A; Sun, 19 Dec 2004 12:53:29 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 6308AB85E; Sun, 19 Dec 2004 12:53:19 +0100 (CET) To: Dave References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> <1103354079.16723.6.camel@red.nativenerds.com> <41C41869.5040408@winbot.co.uk> <20041218173044.K23128@metafocus.net> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Sun, 19 Dec 2004 12:53:18 +0100 In-Reply-To: <20041218173044.K23128@metafocus.net> (mudman@metafocus.net's message of "Sat, 18 Dec 2004 17:35:35 -0800 (PST)") Message-ID: User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.64 cc: Craig Edwards cc: estover@nativenerds.com cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 11:53:38 -0000 Dave writes: > This is a really good idea. I decided to try it as root and chmod gave me > chmod: su: Operation Not Permitted! The nerve! I'll have to have a look > at that more carefully later :) man chflags DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Dec 20 17:18:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B466B16A4CE for ; Mon, 20 Dec 2004 17:18:39 +0000 (GMT) Received: from wjv.com (fl-65-40-24-38.sta.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0293043D48 for ; Mon, 20 Dec 2004 17:18:39 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.12.11/8.13.1) with ESMTP id iBKHIakj056711 for ; Mon, 20 Dec 2004 12:18:36 -0500 (EST) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.12.11/8.13.1/Submit) id iBKHIajR056710 for freebsd-security@freebsd.org; Mon, 20 Dec 2004 12:18:36 -0500 (EST) (envelope-from bv) Date: Mon, 20 Dec 2004 12:18:36 -0500 From: Bill Vermillion To: freebsd-security@freebsd.org Message-ID: <20041220171836.GC81898@wjv.com> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <20041220095628.GA98945@augusta.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041220095628.GA98945@augusta.de> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.6i X-Spam-Status: No, score=-2.2 required=5.0 tests=ALL_TRUSTED,J_CHICKENPOX_31 autolearn=failed version=3.0.1 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on bilver.wjv.com Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bv@wjv.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2004 17:18:39 -0000 While normally not able to pour water out of a boot with instructions on the heel, on Mon, Dec 20, 2004 at 10:56 our dear friend Gerhard Schmidt uttered this load of codswallop: > On Fri, Dec 17, 2004 at 09:53:15AM -0500, Bill Vermillion wrote: [much deleted - wjv] > > Can anyone explain why su does not use the UID from the login > > instead of the EUID ? It strikes me as a security hole, but I'm no > > security expert so explanations either way would be welcomed. > I'm not a security expert, but if someone has the > Username/Password for an Account that can su to root. Where is > the point of disallowing him to su to this user and than to su. > You can?t prevent him form directly logging in as this User > an than use su. Therefore there is no gain in security just a > drawback in usefulness. I use this often to get a rootshell on > an Xsession from an user who can't su to root. You can limit the access for the person who has wheel/su privledges by running sshd and then permitting connections only from certain IPs or IP blocks. So another person is severely restricited from logging in as this user even if they have cracker that persons password. But once the craccker is in the system they can attempt breaking the password on a local basis, and the attack the root system. I think the comment one other person made about limiting the su stack to 1, so that you can not su to an account and then su to another account is a good approach. Considering the HUGE abount of attempted SSH logins I see on my servers from all over the world, with most coming from Korea, China, and lately Brazil, to add to those from Germany and Russia [just some I recall from the whois queries] andthing we can do to improve the security is a step forward. In server environments security far outweighs all other considerations IMO. Bill -- Bill Vermillion - bv @ wjv . com From owner-freebsd-security@FreeBSD.ORG Mon Dec 20 21:23:08 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE7FE16A4CE for ; Mon, 20 Dec 2004 21:23:08 +0000 (GMT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3029743D5E for ; Mon, 20 Dec 2004 21:23:08 +0000 (GMT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA08132 for ; Mon, 20 Dec 2004 14:23:05 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.0.14.2.20041220142255.06260ca0@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14 Date: Mon, 20 Dec 2004 14:23:02 -0700 To: freebsd-security@freebsd.org From: Brett Glass Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2004 21:23:09 -0000 A client wants me to set up a mechanism whereby his customers can drop files securely into directories on his FreeBSD server; he also wants them to be able to retrieve files if needed. The server is already running OpenSSH, and he himself is using Windows clients (TeraTerm and WinSCP) to access it, so the logical thing to do seems to be to have his clients send and receive files via SFTP or SCP. The users depositing files on the server shouldn't be allowed to see what one another are doing or to grope around on the system, so it'd be a good idea to chroot them into home directories, as is commonly done with FTP. However, OpenSSH (or at least FreeBSD's version of it) doesn't seem to have a mechanism that allows users doing SSH, SCP, or SFTP to be chroot-ed into a specific directory. What is the most effective and elegant way to do this? I've seen some crude patches that allow you to put a /. in the home directory specified in /etc/passwd, but these are specific to versions of the "portable" OpenSSH and none of the diffs seem to match FreeBSD's files exactly. --Brett From owner-freebsd-security@FreeBSD.ORG Mon Dec 20 21:27:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B841216A4CE for ; Mon, 20 Dec 2004 21:27:16 +0000 (GMT) Received: from amber.aeternal.net (amber.in.markiza.sk [62.168.76.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E911943D2F for ; Mon, 20 Dec 2004 21:27:15 +0000 (GMT) (envelope-from corwin@pleiades.aeternal.net) Received: from localhost (localhost.aeternal.net [127.0.0.1]) by amber.aeternal.net (Postfix) with ESMTP id 8F79BB83D for ; Mon, 20 Dec 2004 22:29:31 +0100 (CET) Received: from amber.aeternal.net ([127.0.0.1]) by localhost (amber.aeternal.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43280-09 for ; Mon, 20 Dec 2004 22:29:29 +0100 (CET) Received: from pleiades.aeternal.net (pleiades.markiza.sk [192.168.0.7]) by amber.aeternal.net (Postfix) with ESMTP id 2ADBEB818 for ; Mon, 20 Dec 2004 22:29:29 +0100 (CET) Received: from pleiades.aeternal.net (localhost.aeternal.net [127.0.0.1]) by pleiades.aeternal.net (Postfix) with ESMTP id B8BA87E825 for ; Mon, 20 Dec 2004 22:27:11 +0100 (CET) Received: (from corwin@localhost) by pleiades.aeternal.net (8.13.1/8.13.1/Submit) id iBKLRAJ3001198 for freebsd-security@freebsd.org; Mon, 20 Dec 2004 22:27:10 +0100 (CET) (envelope-from corwin) Date: Mon, 20 Dec 2004 22:27:10 +0100 From: martin hudec To: freebsd-security@freebsd.org Message-ID: <20041220212710.GA678@pleiades.aeternal.net> References: <6.2.0.14.2.20041220142255.06260ca0@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FCuugMFkClbJLl1L" Content-Disposition: inline In-Reply-To: <6.2.0.14.2.20041220142255.06260ca0@localhost> X-Copyright: (C) 2004 Martin Hudec X-Operating-System: FreeBSD pleiades.aeternal.net 6.0-CURRENT i386 X-PGP-Key: http://www.aeternal.net/corwin_aeternal.asc User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new at aeternal.net Subject: Re: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martin hudec List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2004 21:27:16 -0000 --FCuugMFkClbJLl1L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, On Mon, Dec 20, 2004 at 02:23:02PM -0700 or thereabouts, Brett Glass wrote: > The users depositing files on the server shouldn't be allowed to see what > one another are doing or to grope around on the system, so it'd be a good > idea to chroot them into home directories, as is commonly done with FTP. >=20 > However, OpenSSH (or at least FreeBSD's version of it) doesn't seem to ha= ve a > mechanism that allows users doing SSH, SCP, or SFTP to be chroot-ed into = a=20 > specific directory. What is the most effective and elegant way to do this= ? I've=20 > seen some crude patches that allow you to put a /. in the home directory = specified > in /etc/passwd, but these are specific to versions of the "portable" Open= SSH > and none of the diffs seem to match FreeBSD's files exactly.=20 go for /usr/ports/shells/scponly, it also has ability to use chroot. Cheers, Martin --=20 martin hudec * 421 907 303 393 * corwin@aeternal.net * http://www.aeternal.net "Nothing travels faster than the speed of light with the possible=20 exception of bad news, which obeys its own special laws." Douglas Adams, "The Hitchhiker's Guide to the Galaxy" --FCuugMFkClbJLl1L Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBx0OuZYEZIv+rgggRAuaTAJ0eAh9wMsjGyt6alDraKN33mT41HwCeNSXH 3fKPFHtUUX6dEHi2pOQa2fw= =s0oL -----END PGP SIGNATURE----- --FCuugMFkClbJLl1L-- From owner-freebsd-security@FreeBSD.ORG Mon Dec 20 21:27:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EEB116A544 for ; Mon, 20 Dec 2004 21:27:26 +0000 (GMT) Received: from sourcefire.com (gi.sourcefire.com [12.110.105.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06FAC43D45 for ; Mon, 20 Dec 2004 21:27:26 +0000 (GMT) (envelope-from nigel@sourcefire.com) Received: from sourcefire.com (localhost.sourcefire.com [127.0.0.1]) by sourcefire.com (Postfix) with ESMTP id 930A389821; Mon, 20 Dec 2004 16:27:24 -0500 (EST) Received: from localhost (unknown [10.2.3.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sourcefire.com (Postfix) with ESMTP id C08B589790; Mon, 20 Dec 2004 16:27:23 -0500 (EST) Date: Mon, 20 Dec 2004 15:23:05 -0600 From: Nigel Houghton To: Brett Glass Message-ID: <20041220212304.GV792@sourcefire.com> Mail-Followup-To: Brett Glass , freebsd-security@freebsd.org References: <6.2.0.14.2.20041220142255.06260ca0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.2.0.14.2.20041220142255.06260ca0@localhost> X-Virus-Scanned: ClamAV using ClamSMTP cc: freebsd-security@freebsd.org Subject: Re: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2004 21:27:26 -0000 On 0, Brett Glass allegedly wrote: > A client wants me to set up a mechanism whereby his customers can drop files > securely into directories on his FreeBSD server; he also wants them to be > able to retrieve files if needed. The server is already running OpenSSH, > and he himself is using Windows clients (TeraTerm and WinSCP) to access it, > so the logical thing to do seems to be to have his clients send and receive > files via SFTP or SCP. > > The users depositing files on the server shouldn't be allowed to see what > one another are doing or to grope around on the system, so it'd be a good > idea to chroot them into home directories, as is commonly done with FTP. > > However, OpenSSH (or at least FreeBSD's version of it) doesn't seem to have a > mechanism that allows users doing SSH, SCP, or SFTP to be chroot-ed into a > specific directory. What is the most effective and elegant way to do this? I've > seen some crude patches that allow you to put a /. in the home directory specified > in /etc/passwd, but these are specific to versions of the "portable" OpenSSH > and none of the diffs seem to match FreeBSD's files exactly. > > --Brett Is there something wrong with using the scponly shell for the users? It is available in ports and at http://www.sublimation.org/scponly/ +-----------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team Stewie: You know, I rather like this God fellow. Very theatrical, you know. Pestilence here, a plague there. Omnipotence ...gotta get me some of that. From owner-freebsd-security@FreeBSD.ORG Mon Dec 20 22:11:54 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C29D316A4CE for ; Mon, 20 Dec 2004 22:11:54 +0000 (GMT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CCBE43D55 for ; Mon, 20 Dec 2004 22:11:54 +0000 (GMT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA08980; Mon, 20 Dec 2004 15:11:47 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.0.14.2.20041220145924.0624c328@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14 Date: Mon, 20 Dec 2004 15:11:45 -0700 To: Nigel Houghton From: Brett Glass In-Reply-To: <20041220212304.GV792@sourcefire.com> References: <6.2.0.14.2.20041220142255.06260ca0@localhost> <20041220212304.GV792@sourcefire.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-security@freebsd.org Subject: Re: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2004 22:11:54 -0000 At 02:23 PM 12/20/2004, Nigel Houghton wrote: >Is there something wrong with using the scponly shell for the users? Mainly that I hadn't heard of it until you mentioned it. ;-) Thank you! (I knew I could get a quick answer, if there was one, from the list.) I just tried building it (twice, because the first time I didn't realize that it required a special variable to be defined before it would set itself up to chroot users). I'll be testing it shortly to be sure that the "jails" created by its sample script (which creates both the user ID and the jail) have everything needed for FreeBSD. It'd be nice if there were a more centralized "chroot" facility that covered SSH, FTP, and other things as well. --Brett From owner-freebsd-security@FreeBSD.ORG Mon Dec 20 22:23:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E33CF16A4CE for ; Mon, 20 Dec 2004 22:23:49 +0000 (GMT) Received: from sourcefire.com (gi.sourcefire.com [12.110.105.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id A768743D1F for ; Mon, 20 Dec 2004 22:23:49 +0000 (GMT) (envelope-from nigel@sourcefire.com) Received: from sourcefire.com (localhost.sourcefire.com [127.0.0.1]) by sourcefire.com (Postfix) with ESMTP id DB30089934; Mon, 20 Dec 2004 17:23:48 -0500 (EST) Received: from localhost (unknown [10.2.3.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sourcefire.com (Postfix) with ESMTP id 18FC9896EA; Mon, 20 Dec 2004 17:23:48 -0500 (EST) Date: Mon, 20 Dec 2004 16:19:29 -0600 From: Nigel Houghton To: Brett Glass Message-ID: <20041220221928.GA2698@sourcefire.com> Mail-Followup-To: Brett Glass , freebsd-security@freebsd.org References: <6.2.0.14.2.20041220142255.06260ca0@localhost> <20041220212304.GV792@sourcefire.com> <6.2.0.14.2.20041220145924.0624c328@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.2.0.14.2.20041220145924.0624c328@localhost> X-Virus-Scanned: ClamAV using ClamSMTP cc: freebsd-security@freebsd.org Subject: Re: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2004 22:23:50 -0000 On 0, Brett Glass allegedly wrote: > At 02:23 PM 12/20/2004, Nigel Houghton wrote: > > >Is there something wrong with using the scponly shell for the users? > > Mainly that I hadn't heard of it until you mentioned it. ;-) > Thank you! (I knew I could get a quick answer, if there was one, > from the list.) aha, ok, good. > I just tried building it (twice, because the first time I didn't > realize that it required a special variable to be defined before > it would set itself up to chroot users). I'll be testing it shortly > to be sure that the "jails" created by its sample script (which > creates both the user ID and the jail) have everything needed for > FreeBSD. > > It'd be nice if there were a more centralized "chroot" facility > that covered SSH, FTP, and other things as well. > > --Brett Take a look at the Jail project, you'll find it here... http://www.jmcresearch.com/projects/jail/ ..and in ports/sysutils/ along with some other jail tools, it may provide some of the features you are looking for. +-----------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team Stewie: You know, I rather like this God fellow. Very theatrical, you know. Pestilence here, a plague there. Omnipotence ...gotta get me some of that. From owner-freebsd-security@FreeBSD.ORG Tue Dec 21 02:28:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F71916A4CE for ; Tue, 21 Dec 2004 02:28:39 +0000 (GMT) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25AD443D41 for ; Tue, 21 Dec 2004 02:28:39 +0000 (GMT) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.13.1/8.13.1) with ESMTP id iBL2SZJM005298; Mon, 20 Dec 2004 18:28:35 -0800 (PST) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.13.1/8.13.1/Submit) id iBL2SRKF005296; Mon, 20 Dec 2004 18:28:27 -0800 (PST) (envelope-from david) Date: Mon, 20 Dec 2004 18:28:27 -0800 (PST) From: David Wolfskill Message-Id: <200412210228.iBL2SRKF005296@bunrab.catwhisker.org> To: brett@lariat.org, freebsd-security@freebsd.org In-Reply-To: <6.2.0.14.2.20041220142255.06260ca0@localhost> Subject: Re: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 02:28:39 -0000 Ref. /usr/ports/shells/scponly; scponly does provide a "chroot" mechanism. Peace, david -- David H. Wolfskill david@catwhisker.org I resent spammers because spam is a DoS attack on my time. See http://www.catwhisker.org/~david/publickey.gpg for public key. From owner-freebsd-security@FreeBSD.ORG Tue Dec 21 02:30:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3549416A4CE for ; Tue, 21 Dec 2004 02:30:09 +0000 (GMT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 707BB43D49 for ; Tue, 21 Dec 2004 02:30:08 +0000 (GMT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA12266; Mon, 20 Dec 2004 19:30:03 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.0.14.2.20041220191915.0531e798@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14 Date: Mon, 20 Dec 2004 19:30:00 -0700 To: Nigel Houghton From: Brett Glass In-Reply-To: <20041220221928.GA2698@sourcefire.com> References: <6.2.0.14.2.20041220142255.06260ca0@localhost> <20041220212304.GV792@sourcefire.com> <6.2.0.14.2.20041220145924.0624c328@localhost> <20041220221928.GA2698@sourcefire.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-security@freebsd.org Subject: Re: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 02:30:09 -0000 At 03:19 PM 12/20/2004, Nigel Houghton wrote: >Take a look at the Jail project, you'll find it here... > > http://www.jmcresearch.com/projects/jail/ > >..and in ports/sysutils/ along with some other jail tools, it may >provide some of the features you are looking for. Looks useful. (Shame it's GPLed.) In any case, it seems to me that creation of a jail the way this tool does it (and the way most people have to do it in general) requires a lot of redundant copies of files. Wouldn't it be neat if there were a type of link (not quite soft, not quite hard; call it "firm") that would let you link to the current master copies of executables (rather than copying them) but not let the inmates out of their jails? Hard links have the disadvantage that they're broken when you upgrade an executable; soft links can't be used because, well, you're in a jail. The type of link I have in mind would be symbolic but resolved by the system behind the scenes; from inside the jail it wouldn't look like a link. --Brett From owner-freebsd-security@FreeBSD.ORG Tue Dec 21 05:00:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C97BE16A4CE for ; Tue, 21 Dec 2004 05:00:42 +0000 (GMT) Received: from straycat.dhs.org (h0050da134090.ne.client2.attbi.com [24.60.174.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CB0543D45 for ; Tue, 21 Dec 2004 05:00:40 +0000 (GMT) (envelope-from tmclaugh@sdf.lonestar.org) Received: from compass.straycat.dhs.org (compass.straycat.dhs.org [192.168.1.32]) by straycat.dhs.org (8.13.0/8.13.0) with ESMTP id iBL50YQQ020289; Tue, 21 Dec 2004 00:00:35 -0500 (EST) From: Tom McLaughlin To: Brett Glass In-Reply-To: <6.2.0.14.2.20041220191915.0531e798@localhost> References: <6.2.0.14.2.20041220142255.06260ca0@localhost> <20041220212304.GV792@sourcefire.com> <6.2.0.14.2.20041220145924.0624c328@localhost> <20041220221928.GA2698@sourcefire.com> <6.2.0.14.2.20041220191915.0531e798@localhost> Content-Type: text/plain Date: Tue, 21 Dec 2004 00:00:39 -0500 Message-Id: <1103605239.1100.13.camel@compass.straycat.dhs.org> Mime-Version: 1.0 X-Mailer: Evolution 2.0.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 05:00:42 -0000 On Mon, 2004-12-20 at 19:30 -0700, Brett Glass wrote: > At 03:19 PM 12/20/2004, Nigel Houghton wrote: > > >Take a look at the Jail project, you'll find it here... > > > > http://www.jmcresearch.com/projects/jail/ > > > >..and in ports/sysutils/ along with some other jail tools, it may > >provide some of the features you are looking for. > > Looks useful. (Shame it's GPLed.) In any case, it seems to me that > creation of a jail the way this tool does it (and the way most people > have to do it in general) requires a lot of redundant copies of files. > Wouldn't it be neat if there were a type of link (not quite soft, not > quite hard; call it "firm") that would let you link to the current > master copies of executables (rather than copying them) but not > let the inmates out of their jails? Hard links have the disadvantage > that they're broken when you upgrade an executable; soft links can't > be used because, well, you're in a jail. The type of link I have in > mind would be symbolic but resolved by the system behind the scenes; > from inside the jail it wouldn't look like a link. > > --Brett > FreeBSD has its own jail (8) system which might be useful but yes it requires redundant files. You could also look at using a restricted shell (pdksh has he option but I'm not sure about csh) as well. I'm looking at doing anonymous cvs over ssh where i formerly used a jail. I haven't tried it yet but a restricted shell looks like it may provide me with what I need. Last time I did an sftp jail I believe I used chrsh which can be found here: http://www.aarongifford.com/computers/chrsh.html Tom -- BSD# Project - Porting Mono to FreeBSD http://forge.novell.com/modules/xfmod/project/?bsd-sharp From owner-freebsd-security@FreeBSD.ORG Tue Dec 21 07:50:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0713116A4CE for ; Tue, 21 Dec 2004 07:50:32 +0000 (GMT) Received: from konvergencia.hu (konvergencia.hu [195.228.254.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC81243D1D for ; Tue, 21 Dec 2004 07:50:31 +0000 (GMT) (envelope-from mkenyeres@konvergencia.hu) Received: from [127.0.0.25] (helo=localhost) by konvergencia.hu with esmtp (Exim 4.10) id 1CgerM-000K63-00 for freebsd-security@freebsd.org; Tue, 21 Dec 2004 07:55:08 +0000 Received: from konvergencia.hu ([127.0.0.25]) by localhost (kavegep.konvergencia.hu [127.0.0.25]) (amavisd-new, port 10024) with ESMTP id 75357-05 for ; Tue, 21 Dec 2004 08:55:07 +0100 (CET) Received: from 35.144-183-adsl-pool.axelero.hu ([81.183.144.35]) by konvergencia.hu with asmtp (TLSv1:RC4-MD5:128) (Exim 4.10) id 1CgerL-000K5y-00 for freebsd-security@freebsd.org; Tue, 21 Dec 2004 07:55:07 +0000 From: Marton Kenyeres Organization: KVG Konvergencia Kft. To: freebsd-security@freebsd.org Date: Tue, 21 Dec 2004 08:50:25 +0100 User-Agent: KMail/1.7 References: <6.2.0.14.2.20041220142255.06260ca0@localhost> <20041220221928.GA2698@sourcefire.com> <6.2.0.14.2.20041220191915.0531e798@localhost> In-Reply-To: <6.2.0.14.2.20041220191915.0531e798@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200412210850.25244.mkenyeres@konvergencia.hu> X-Virus-Scanned: by amavisd-new at konvergencia.hu Subject: Re: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 07:50:32 -0000 On Tuesday 21 December 2004 03:30, Brett Glass wrote: > At 03:19 PM 12/20/2004, Nigel Houghton wrote: > >Take a look at the Jail project, you'll find it here... > > > > http://www.jmcresearch.com/projects/jail/ > > > >..and in ports/sysutils/ along with some other jail tools, it may > >provide some of the features you are looking for. > > Looks useful. (Shame it's GPLed.) In any case, it seems to me that > creation of a jail the way this tool does it (and the way most people > have to do it in general) requires a lot of redundant copies of > files. Wouldn't it be neat if there were a type of link (not quite > soft, not quite hard; call it "firm") that would let you link to the > current master copies of executables (rather than copying them) but > not let the inmates out of their jails? Hard links have the > disadvantage that they're broken when you upgrade an executable; soft > links can't be used because, well, you're in a jail. The type of link > I have in mind would be symbolic but resolved by the system behind > the scenes; from inside the jail it wouldn't look like a link. > > --Brett This can be done with nullfs, unionfs or nfs over the loopback interface. BTW, hard drives are quite cheap nowdays, so the main problem with redundant copies is not the space they waste, it's that they are hard to manage. IMHO `firm` links wont help you a bit. m. From owner-freebsd-security@FreeBSD.ORG Tue Dec 21 13:34:17 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9003716A4CE for ; Tue, 21 Dec 2004 13:34:17 +0000 (GMT) Received: from virtual.micronet.sk (smtp-r3.micronet.sk [213.215.96.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFD8743D1F for ; Tue, 21 Dec 2004 13:34:14 +0000 (GMT) (envelope-from danger@wilbury.sk) Received: from localhost (localhost [127.0.0.1]) by virtual.micronet.sk (Postfix) with ESMTP id 58BBF10E533; Tue, 21 Dec 2004 14:42:03 +0100 (CET) Received: from virtual.micronet.sk ([127.0.0.1]) by localhost (virtual.micronet.sk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36750-07; Tue, 21 Dec 2004 14:41:59 +0100 (CET) Received: from danger.mcrn.sk (danger.mcrn.sk [84.16.37.254]) by virtual.micronet.sk (Postfix) with ESMTP id 0A6CF10E54D; Tue, 21 Dec 2004 14:41:58 +0100 (CET) Date: Tue, 21 Dec 2004 14:33:48 +0100 From: DanGer X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <993621639.20041221143348@wilbury.sk> To: Nigel Houghton , freebsd-security@freebsd.org In-Reply-To: <20041220221928.GA2698@sourcefire.com> References: <6.2.0.14.2.20041220142255.06260ca0@localhost> <20041220212304.GV792@sourcefire.com> <6.2.0.14.2.20041220145924.0624c328@localhost> <20041220221928.GA2698@sourcefire.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at virtual.micronet.sk Subject: Re[2]: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: DanGer List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 13:34:17 -0000 Hi Nigel, Monday, December 20, 2004, 11:19:29 PM, si napisal: > On 0, Brett Glass allegedly wrote: >> At 02:23 PM 12/20/2004, Nigel Houghton wrote: >> >> >Is there something wrong with using the scponly shell for the users? >> >> Mainly that I hadn't heard of it until you mentioned it. ;-) >> Thank you! (I knew I could get a quick answer, if there was one, >> from the list.) > aha, ok, good. >> I just tried building it (twice, because the first time I didn't >> realize that it required a special variable to be defined before >> it would set itself up to chroot users). I'll be testing it shortly >> to be sure that the "jails" created by its sample script (which >> creates both the user ID and the jail) have everything needed for >> FreeBSD. >> >> It'd be nice if there were a more centralized "chroot" facility >> that covered SSH, FTP, and other things as well. >> >> --Brett > Take a look at the Jail project, you'll find it here... > http://www.jmcresearch.com/projects/jail/ > ..and in ports/sysutils/ along with some other jail tools, it may > provide some of the features you are looking for. > +-----------------------------------------------------------------+ > Nigel Houghton Research Engineer Sourcefire Inc. > Vulnerability Research Team > Stewie: You know, I rather like this God fellow. Very theatrical, > you know. Pestilence here, a plague there. Omnipotence > ...gotta get me some of that. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" maybe somebody should port this: http://chrootssh.sourceforge.net/index.php it seems good :-) -- Sincerely +----------==/\/\==----------+ (__) FreeBSD | DanGer | \\\'',) The | DanGer@IRCnet ICQ261701668 | \/ \ ^ Power | http://danger.rulez.sk | .\._/_) To +----------==\/\/==----------+ Serve From owner-freebsd-security@FreeBSD.ORG Mon Dec 20 13:40:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2699A16A4CE for ; Mon, 20 Dec 2004 13:40:58 +0000 (GMT) Received: from etustar.ze.tum.de (etustar.ze.tum.de [129.187.39.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56F8543D53 for ; Mon, 20 Dec 2004 13:40:57 +0000 (GMT) (envelope-from estartu@etustar.ze.tum.de) Received: from etustar.ze.tum.de (estartu@localhost.ze.tu-muenchen.de [127.0.0.1]) by etustar.ze.tum.de (8.12.11/8.12.11) with ESMTP id iBKDet6T099993 for ; Mon, 20 Dec 2004 14:40:55 +0100 (CET) (envelope-from estartu@etustar.ze.tum.de) Received: (from estartu@localhost) by etustar.ze.tum.de (8.12.11/8.12.11/Submit) id iBKDetjS099992 for freebsd-security@freebsd.org; Mon, 20 Dec 2004 14:40:55 +0100 (CET) (envelope-from estartu) Resent-Message-Id: <200412201340.iBKDetjS099992@etustar.ze.tum.de> Date: Mon, 20 Dec 2004 10:56:28 +0100 From: Gerhard Schmidt To: Bill Vermillion Message-ID: <20041220095628.GA98945@augusta.de> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR" Content-Disposition: inline In-Reply-To: <20041217145315.GB68582@wjv.com> User-Agent: Mutt/1.4.2.1i Resent-From: estartu@augusta.de Resent-Date: Mon, 20 Dec 2004 14:40:55 +0100 Resent-To: freebsd-security@freebsd.org X-Mailman-Approved-At: Tue, 21 Dec 2004 13:48:34 +0000 Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2004 13:40:58 -0000 --T4sUOijqQbZv57TR Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 17, 2004 at 09:53:15AM -0500, Bill Vermillion wrote: > > Message: 1 > > Date: Thu, 16 Dec 2004 20:31:05 +0800 > > From: Ganbold > > Subject: Strange command histories in hacked shell server >=20 > Just a minor comment on one portion of your message. =20 >=20 > [All deleted except the pertinent part - wjv] >=20 > > Machine is configured in such way that everyone can create an account i= tself. > > Some user dir permissions: > > ... > > drwxr-xr-x 2 root wheel 512 Mar 29 2004 new > > drwx------ 3 tamiraad unix 512 Apr 9 2004 tamiraad > > drwxr-xr-x 6 tsgan tsgan 1024 Dec 16 17:51 tsgan > > drwx------ 4 tugstugi unix 512 Dec 13 20:34 tugstugi > > drwxr-xr-x 5 unix unix 512 Dec 13 12:37 unix > > ... > > User should log on as new with password new to create an account. >=20 > > Accounting is enabled and kern.securelevel is set to 2. Only one > > account 'tsgan' is in wheel group and only tsgan gan become root > > using su. >=20 > I've asked others before and never got a real answer on the design > of 'su' which to my way of thinking has a security hold that shold > be fixed. >=20 > su checks the EUID of the user to see if they are in 'wheel' to > enable them to su to root. It would seem to me it should > use the UID. >=20 > In your case if the 'tsgan' account does not have a secure > password, and some breaches the 'tsgan' account in any manner, such > as a SUID tsgan as I see it, then that user who cracked the 'tsgan' > account can su to root. >=20 > So in your case there is the possibility that someone else > su'ed to 'tsgan' and then su'ed to root. >=20 > Can anyone explain why su does not use the UID from the login > instead of the EUID ? It strikes me as a security hole, but I'm no > security expert so explanations either way would be welcomed. I'm not a security expert, but if someone has the Username/Password for=20 an Account that can su to root. Where is the point of disallowing him to su to this user and than to su. You can=B4t prevent him form directly=20 logging in as this User an than use su. Therefore there is no gain in=20 security just a drawback in usefulness. I use this often to get a=20 rootshell on an Xsession from an user who can't su to root.=20 Bye Estartu ---------------------------------------------------------------------------- Gerhard Schmidt | Nick : estartu IRC : Estartu | Fischbachweg 3 | | PGP Public Key 86856 Hiltenfingen | Privat: estartu@augusta.de | auf Anfrage/ Germany | | on Request=20 --T4sUOijqQbZv57TR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: bCHKE95AEm527a0z6msw7JBkunBZk/u3 iQCVAwUBQcahzAzx22nOTJQRAQEFxAP8ConN73YFl+0J2qSB2vcMG1PPYuAKX08J qROZIkoHekpR88S6BMIHom0ynCo9mH9NiyvH+ctU7WPw4+a2pMiCMMiTtqDAo+g0 IeHL1GzryxDTnaNhxXf8bbbg6c5ve/tXmpNp8yVh29z6D6DhEqSG+tVlDfGNJMlo xf+zz099ayU= =njyH -----END PGP SIGNATURE----- --T4sUOijqQbZv57TR-- From owner-freebsd-security@FreeBSD.ORG Tue Dec 21 15:10:48 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F3DD16A549 for ; Tue, 21 Dec 2004 15:10:48 +0000 (GMT) Received: from etustar.ze.tum.de (etustar.ze.tum.de [129.187.39.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 492A243D41 for ; Tue, 21 Dec 2004 15:10:47 +0000 (GMT) (envelope-from estartu@etustar.ze.tum.de) Received: from etustar.ze.tum.de (estartu@localhost.ze.tu-muenchen.de [127.0.0.1]) by etustar.ze.tum.de (8.12.11/8.12.11) with ESMTP id iBLFAkYZ011643 for ; Tue, 21 Dec 2004 16:10:46 +0100 (CET) (envelope-from estartu@etustar.ze.tum.de) Received: (from estartu@localhost) by etustar.ze.tum.de (8.12.11/8.12.11/Submit) id iBLFAknQ011642 for freebsd-security@freebsd.org; Tue, 21 Dec 2004 16:10:46 +0100 (CET) (envelope-from estartu) Resent-Message-Id: <200412211510.iBLFAknQ011642@etustar.ze.tum.de> Date: Tue, 21 Dec 2004 15:57:06 +0100 From: Gerhard Schmidt To: Bill Vermillion Message-ID: <20041221145706.GA5694@augusta.de> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <20041220095628.GA98945@augusta.de> <20041220171836.GC81898@wjv.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh" Content-Disposition: inline In-Reply-To: <20041220171836.GC81898@wjv.com> User-Agent: Mutt/1.4.2.1i Resent-From: estartu@augusta.de Resent-Date: Tue, 21 Dec 2004 16:10:45 +0100 Resent-To: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 15:10:49 -0000 --jI8keyz6grp/JLjh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 20, 2004 at 12:18:36PM -0500, Bill Vermillion wrote: > While normally not able to pour water out of a boot with > instructions on the heel, on Mon, Dec 20, 2004 at 10:56 =20 > our dear friend Gerhard Schmidt uttered this load of codswallop: Offending other people isn`t funny and totaly displaced on this=20 List.=20 > > On Fri, Dec 17, 2004 at 09:53:15AM -0500, Bill Vermillion wrote: >=20 > [much deleted - wjv] >=20 >=20 > > > Can anyone explain why su does not use the UID from the login > > > instead of the EUID ? It strikes me as a security hole, but I'm no > > > security expert so explanations either way would be welcomed. >=20 > > I'm not a security expert, but if someone has the > > Username/Password for an Account that can su to root. Where is > > the point of disallowing him to su to this user and than to su. > > You can?t prevent him form directly logging in as this User > > an than use su. Therefore there is no gain in security just a > > drawback in usefulness. I use this often to get a rootshell on > > an Xsession from an user who can't su to root. >=20 > You can limit the access for the person who has wheel/su > privledges by running sshd and then permitting connections only > from certain IPs or IP blocks. So another person is severely > restricited from logging in as this user even if they have cracker > that persons password. But once the craccker is in the system they > can attempt breaking the password on a local basis, and the attack > the root system. With reasonable passwords for accounts able to su to root you should be able to detect any local cracking activity bevor they are able to=20 crack the password. =20 > I think the comment one other person made about limiting the su > stack to 1, so that you can not su to an account and then su to > another account is a good approach. OK than the create uses login to change the user and than su to root.=20 where is the improvment in security.=20 =20 > Considering the HUGE abount of attempted SSH logins I see on my > servers from all over the world, with most coming from Korea, > China, and lately Brazil, to add to those from Germany and Russia > [just some I recall from the whois queries] andthing we can do > to improve the security is a step forward. me too. But im not worried by them. Im more worried by the connects=20 that don't try to login.=20 > In server environments security far outweighs all other > considerations IMO. =20 Than you should consider pulling the main power and network plugs. This=20 will impove system securirty to new dimensions.=20 There should be a balance between security and comfort. I see your point,= =20 but FreeBSD isn't a server only operating system. I use FreeBSD as desktop= =20 OS on all our Workstations and Servers. Maybe this should by tuneable.=20 Bye Estartu ---------------------------------------------------------------------------- Gerhard Schmidt | Nick : estartu IRC : Estartu | Fischbachweg 3 | | PGP Public Key 86856 Hiltenfingen | Privat: estartu@augusta.de | auf Anfrage/ Germany | | on request --jI8keyz6grp/JLjh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: xx735o4ypFJdnKnLcUr1fGPZujVFmv67 iQCVAwUBQcg5wQzx22nOTJQRAQEsfAQAgc+flgh4WFhfQNQzbRmtWvD+4/2UyzNI lGnAjtrnaCYsjBL+UyKwGUksOQIfirsagPat1bgiPbTQoGcSqdsQtFtEgn9IcK0C bHbOZOmSjqfcPcznrWbrhV+z5vxldwOkLs61HV/S18T+LcG+12UB7BSROZ8Cm7N4 f3pTJ1B5hYQ= =wODc -----END PGP SIGNATURE----- --jI8keyz6grp/JLjh-- From owner-freebsd-security@FreeBSD.ORG Tue Dec 21 16:50:29 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0CCCF16A4CE for ; Tue, 21 Dec 2004 16:50:29 +0000 (GMT) Received: from serv03.inetworx.ch (serv03.inetworx.ch [193.17.199.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77D9F43D1F for ; Tue, 21 Dec 2004 16:50:28 +0000 (GMT) (envelope-from dev@eth0.ch) Received: from localhost (localhost.localdomain [127.0.0.1]) by serv03.inetworx.ch (Postfix) with ESMTP id 036D5252D6E for ; Tue, 21 Dec 2004 17:50:27 +0100 (CET) Received: from serv03.inetworx.ch ([127.0.0.1]) by localhost (serv03.inetworx.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 17867-02-6 for ; Tue, 21 Dec 2004 17:50:26 +0100 (CET) Received: from www.inetworx.ch (serv04.inetworx.ch [193.17.199.24]) by serv03.inetworx.ch (Postfix) with ESMTP id BE150252D63 for ; Tue, 21 Dec 2004 17:50:26 +0100 (CET) Received: from 217.162.71.141 (SquirrelMail authenticated user dev.eth0); by www.inetworx.ch with HTTP; Tue, 21 Dec 2004 17:50:26 +0100 (CET) Message-ID: <1703.217.162.71.141.1103647826.squirrel@217.162.71.141> In-Reply-To: <993621639.20041221143348@wilbury.sk> References: <6.2.0.14.2.20041220142255.06260ca0@localhost> <20041220212304.GV792@sourcefire.com> <6.2.0.14.2.20041220145924.0624c328@localhost> <20041220221928.GA2698@sourcefire.com> <993621639.20041221143348@wilbury.sk> Date: Tue, 21 Dec 2004 17:50:26 +0100 (CET) From: "David E. Meier" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by amavisd-new at inetworx.ch Subject: Re: Re[2]: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Dec 2004 16:50:29 -0000 > > maybe somebody should port this: > > http://chrootssh.sourceforge.net/index.php > > it seems good :-) Just go to /usr/ports/security/openssh-portable and run: # make –DWITH_OPENSSH_CHROOT install The portable version of OpenSSH contains this patch already. Dave From owner-freebsd-security@FreeBSD.ORG Wed Dec 22 06:39:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 87D9D16A4CE for ; Wed, 22 Dec 2004 06:39:02 +0000 (GMT) Received: from smtp812.mail.sc5.yahoo.com (smtp812.mail.sc5.yahoo.com [66.163.170.82]) by mx1.FreeBSD.org (Postfix) with SMTP id 396F143D3F for ; Wed, 22 Dec 2004 06:39:02 +0000 (GMT) (envelope-from dr2867@pacbell.net) Received: from unknown (HELO ?192.168.0.248?) (dr2867@pacbell.net@68.126.215.231 with plain) by smtp812.mail.sc5.yahoo.com with SMTP; 22 Dec 2004 06:39:02 -0000 Message-ID: <41C91696.6030507@pacbell.net> Date: Tue, 21 Dec 2004 22:39:18 -0800 From: Daniel Rudy Organization: SBC Internet Services User-Agent: Mozilla/5.0 (X11R6; UNIX; FreeBSD/i386 4.10-RELEASE-p5; en-US; ja-JP; rv:1.7.5) Gecko/20041217 MultiZilla/1.6.2.0c X-Accept-Language: en-us, en, ja MIME-Version: 1.0 To: bv@wjv.com References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <20041220095628.GA98945@augusta.de> <20041220171836.GC81898@wjv.com> In-Reply-To: <20041220171836.GC81898@wjv.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dr2867@pacbell.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2004 06:39:02 -0000 At about the time of 12/20/2004 9:18 AM, Bill Vermillion stated the following: > While normally not able to pour water out of a boot with > instructions on the heel, on Mon, Dec 20, 2004 at 10:56 > our dear friend Gerhard Schmidt uttered this load of codswallop: > > >>On Fri, Dec 17, 2004 at 09:53:15AM -0500, Bill Vermillion wrote: > > > [much deleted - wjv] > > > >>>Can anyone explain why su does not use the UID from the login >>>instead of the EUID ? It strikes me as a security hole, but I'm no >>>security expert so explanations either way would be welcomed. > > >>I'm not a security expert, but if someone has the >>Username/Password for an Account that can su to root. Where is >>the point of disallowing him to su to this user and than to su. >>You can?t prevent him form directly logging in as this User >>an than use su. Therefore there is no gain in security just a >>drawback in usefulness. I use this often to get a rootshell on >>an Xsession from an user who can't su to root. > > > You can limit the access for the person who has wheel/su > privledges by running sshd and then permitting connections only > from certain IPs or IP blocks. So another person is severely > restricited from logging in as this user even if they have cracker > that persons password. But once the craccker is in the system they > can attempt breaking the password on a local basis, and the attack > the root system. > > I think the comment one other person made about limiting the su > stack to 1, so that you can not su to an account and then su to > another account is a good approach. > > Considering the HUGE abount of attempted SSH logins I see on my > servers from all over the world, with most coming from Korea, > China, and lately Brazil, to add to those from Germany and Russia > [just some I recall from the whois queries] andthing we can do > to improve the security is a step forward. > > In server environments security far outweighs all other > considerations IMO. > > Bill > > > Hey Bill, I have to agree with this. But, if you don't mind my asking, why do you allow SSH access from all over the planet? For a server, why not restrict the source IP to at least the same country that you are in? Or even to the IP address blocks of the few people who need access to it? -- Daniel Rudy From owner-freebsd-security@FreeBSD.ORG Wed Dec 22 20:44:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B55F916A4D1 for ; Wed, 22 Dec 2004 20:44:41 +0000 (GMT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 3470943D45 for ; Wed, 22 Dec 2004 20:44:41 +0000 (GMT) (envelope-from sirmoo@cowbert.net) Received: (qmail 41199 invoked by uid 1001); 22 Dec 2004 20:44:40 -0000 Date: Wed, 22 Dec 2004 15:44:40 -0500 From: "Peter C. Lai" To: Daniel Rudy Message-ID: <20041222204440.GH24545@cowbert.net> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <20041220095628.GA98945@augusta.de> <20041220171836.GC81898@wjv.com> <41C91696.6030507@pacbell.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41C91696.6030507@pacbell.net> User-Agent: Mutt/1.5.6i cc: bv@wjv.com cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2004 20:44:41 -0000 On Tue, Dec 21, 2004 at 10:39:18PM -0800, Daniel Rudy wrote: > Hey Bill, I have to agree with this. But, if you don't mind my asking, > why do you allow SSH access from all over the planet? For a server, why > not restrict the source IP to at least the same country that you are in? > Or even to the IP address blocks of the few people who need access to it? > > > -- > Daniel Rudy This is beyond the scope of this list, but I thought that he was running a shellbox where people could create users by themselves. -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ From owner-freebsd-security@FreeBSD.ORG Sat Dec 25 17:39:18 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB9C016A4CE for ; Sat, 25 Dec 2004 17:39:18 +0000 (GMT) Received: from dreadlock.phreakout.net (dreadlock.phreakout.net [12.45.16.51]) by mx1.FreeBSD.org (Postfix) with SMTP id 273C943D39 for ; Sat, 25 Dec 2004 17:39:18 +0000 (GMT) (envelope-from ababurko@adelphia.net) Received: (qmail 2375 invoked from network); 25 Dec 2004 17:42:39 -0000 Received: from 24-52-224-96.kntnny.adelphia.net (HELO ?192.168.102.100?) (24.52.224.96) by dreadlock.phreakout.net with SMTP; 25 Dec 2004 17:42:39 -0000 Message-ID: <41CDA5C0.3000105@adelphia.net> Date: Sat, 25 Dec 2004 12:39:12 -0500 From: Bob Ababurko User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: odd log mesage...looks serious X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Dec 2004 17:39:18 -0000 hello all- and a happy holiday to all you geeks that are in front of the crt! I found these log messages in my logs and I am not sure what some of them signify. Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221 to 200 packets/sec Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241 to 200 packets/sec Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode enabled Dec 24 05:32:49 smtp kernel: fxp0: promiscuous mode disabled Dec 24 05:33:01 smtp kernel: fxp0: promiscuous mode enabled Dec 24 08:18:44 smtp kernel: fxp0: promiscuous mode disabled Dec 24 12:48:57 smtp kernel: Limiting closed port RST response from 201 to 200 packets/sec I understand the "Limiting closed port RST response". ....but what are the promiscuous mode enabled and disabled on my NIC? I am not doing this, so who or what is doing this. Or better yet, what does this mean? I have a fear that this one is serious. So what I need is some direction into finding out how this occurs and what I can do to stop it. thanks, Bob From owner-freebsd-security@FreeBSD.ORG Sat Dec 25 17:53:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7823816A4CE for ; Sat, 25 Dec 2004 17:53:10 +0000 (GMT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8AD0E43D49 for ; Sat, 25 Dec 2004 17:53:08 +0000 (GMT) (envelope-from brett@lariat.org) Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA09615; Sat, 25 Dec 2004 10:52:55 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <6.2.0.14.2.20041225104714.05f27c58@localhost> X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14 Date: Sat, 25 Dec 2004 10:52:52 -0700 To: Bob Ababurko , freebsd-security@freebsd.org From: Brett Glass In-Reply-To: <41CDA5C0.3000105@adelphia.net> References: <41CDA5C0.3000105@adelphia.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: odd log mesage...looks serious X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Dec 2004 17:53:10 -0000 The most common situation in which you'll see such messages is when a program (often tcpdump) is sniffing packets on an interface via bpf. (tcpdump normaly shifts the interface into promiscuous mode so it can see every packet an interface receives, even if it's not bound for that machine.) If you were not running tcpdump or something similar, it's possible that a sniffer has been planted on your machine. --Brett Glass At 10:39 AM 12/25/2004, Bob Ababurko wrote: >hello all- > >and a happy holiday to all you geeks that are in front of the crt! > >I found these log messages in my logs and I am not sure what some of them signify. > >Dec 23 19:08:39 smtp kernel: Limiting closed port RST response from 221 to 200 packets/sec >Dec 23 19:08:40 smtp kernel: Limiting closed port RST response from 241 to 200 packets/sec >Dec 24 05:32:34 smtp kernel: fxp0: promiscuous mode enabled >Dec 24 05:32:49 smtp kernel: fxp0: promiscuous mode disabled >Dec 24 05:33:01 smtp kernel: fxp0: promiscuous mode enabled >Dec 24 08:18:44 smtp kernel: fxp0: promiscuous mode disabled >Dec 24 12:48:57 smtp kernel: Limiting closed port RST response from 201 to 200 packets/sec > >I understand the "Limiting closed port RST response". ....but what are the promiscuous mode enabled and disabled on my NIC? I am not doing this, so who or what is doing this. Or better yet, what does this mean? I have a fear that this one is serious. So what I need is some direction into finding out how this occurs and what I can do to stop it. > >thanks, >Bob >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"