From owner-freebsd-security@FreeBSD.ORG Sun Nov 20 22:58:05 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7448516A41F for ; Sun, 20 Nov 2005 22:58:05 +0000 (GMT) (envelope-from timothy@open-networks.net) Received: from titan.open-networks.net (ns.open-networks.net [202.173.176.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2C7043D4C for ; Sun, 20 Nov 2005 22:58:04 +0000 (GMT) (envelope-from timothy@open-networks.net) Received: from [192.168.1.200] (unknown [192.168.1.1]) by titan.open-networks.net (Postfix) with ESMTP id 5427CB825 for ; Mon, 21 Nov 2005 08:58:03 +1000 (EST) Message-ID: <4380FF7A.8020506@open-networks.net> Date: Mon, 21 Nov 2005 08:58:02 +1000 From: Timothy Smith User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051119) X-Accept-Language: en-us, en MIME-Version: 1.0 CC: freebsd-security@freebsd.org References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> In-Reply-To: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: FreeBSD-SA-05:21.openssl and 6.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 22:58:05 -0000 FreeBSD-SA-05:21.openssl.asc lists this advisory as for all releases, yet the patch only applies up to 5.4 ? does this mean 6 release isn't effected? From owner-freebsd-security@FreeBSD.ORG Sun Nov 20 23:04:51 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F48816A41F for ; Sun, 20 Nov 2005 23:04:51 +0000 (GMT) (envelope-from no-html@jonathan-glaschke.de) Received: from mail.liberty-hosting.de (mail.liberty-hosting.de [195.225.132.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D6CF43D53 for ; Sun, 20 Nov 2005 23:04:50 +0000 (GMT) (envelope-from no-html@jonathan-glaschke.de) Received: from mail.liberty-hosting.de ([195.225.132.203]) by localhost (liberty-mail [195.225.132.203]) (amavisd-new, port 10024) with ESMTP id 32340-07; Mon, 21 Nov 2005 00:04:44 +0100 (CET) Received: from kuckucksei.jogla (p5089720A.dip.t-dialin.net [80.137.114.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.liberty-hosting.de (Postfix) with ESMTP id 7FC0F15985F; Mon, 21 Nov 2005 00:04:43 +0100 (CET) Received: from kuckucksei.jogla (localhost.jogla [127.0.0.1]) by kuckucksei.jogla (8.13.4/8.13.3) with ESMTP id jAKN3wdG016485; Mon, 21 Nov 2005 00:03:59 +0100 (CET) Received: (from jonathan@localhost) by kuckucksei.jogla (8.13.4/8.13.3/Submit) id jAKN3vw2020107; Mon, 21 Nov 2005 00:03:57 +0100 (CET) Date: Mon, 21 Nov 2005 00:03:57 +0100 From: Jonathan Glaschke To: Timothy Smith Message-ID: <20051120230357.GA27803@kuckucksei.jogla> References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <4380FF7A.8020506@open-networks.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ikeVEW9yuYc//A+q" Content-Disposition: inline In-Reply-To: <4380FF7A.8020506@open-networks.net> User-Agent: Mutt/1.5.9i X-Virus-Scanned: by amavisd-new at mail.liberty-hosting.de Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD-SA-05:21.openssl and 6.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 23:04:51 -0000 --ikeVEW9yuYc//A+q Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 21, 2005 at 08:58:02AM +1000, Timothy Smith wrote: > FreeBSD-SA-05:21.openssl.asc lists this advisory as for all releases,=20 > yet the patch only applies up to 5.4 ? does this mean 6 release isn't=20 > effected? FreeBSD 6.0 was released on 2005-11-04. FreeBSD-SA-05:21.openssl.asc was released 2005-10-11. There was no FreeBSD 6 release when this advisory was released. Perhaps a beta version of freebsd 6 was affected, but then it would have been corrected in the release. Jonathan > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --=20 | /"\ ASCII Ribbon | Jonathan Glaschke - Lorenz-Goertz-Stra=DFe 71, | \ / Campaign Against | 41238 Moenchengladbach, Germany; | X HTML In Mail | jabber: jogla@jabber.ccc.de | / \ And News | http://jonathan-glaschke.de/ --ikeVEW9yuYc//A+q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (OpenBSD) iQEVAwUBQ4EA3RA+2Iy2wDfEAQIvewf/ZDQVYLvduo+BSFsPo9lM33YTi+5VXD4p T7Ux014L+hHB7pY8Zr9tsDUev2UZHDImB8nTrF8qSzWGXQcEEjtdasbmylYSW/uF moeGkdmYtuZAHmGo/rBHQJiX8BqaogidNFZ0hgf/oYmrLx+lfHTiJoGCLrZ/pIxe BsdXT8eu2sfDHAd7y6qqs1cBXBZem0mkVKZftX36slOuxEuDavodIi6Pvv67wUmr tiJQDHBLV4xIcXedo7GYIbgkk0Z0L18cvVa+MNir8EqCBOtuH4QE9PNVWwXEDtrH zdQN9zYABpIRnpVkJxuFbYw4w93RmseNCZQ6f1D7URzY+w0Yi44V1w== =8/qh -----END PGP SIGNATURE----- --ikeVEW9yuYc//A+q-- From owner-freebsd-security@FreeBSD.ORG Sun Nov 20 23:07:13 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8442116A41F for ; Sun, 20 Nov 2005 23:07:13 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 28C5143D58 for ; Sun, 20 Nov 2005 23:06:52 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id ECA321A3C19; Sun, 20 Nov 2005 15:06:51 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 6CDAB51507; Sun, 20 Nov 2005 18:06:50 -0500 (EST) Date: Sun, 20 Nov 2005 18:06:49 -0500 From: Kris Kennaway To: Timothy Smith Message-ID: <20051120230649.GA95697@xor.obsecurity.org> References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <4380FF7A.8020506@open-networks.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: inline In-Reply-To: <4380FF7A.8020506@open-networks.net> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD-SA-05:21.openssl and 6.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2005 23:07:13 -0000 --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 21, 2005 at 08:58:02AM +1000, Timothy Smith wrote: > FreeBSD-SA-05:21.openssl.asc lists this advisory as for all releases,=20 > yet the patch only applies up to 5.4 ? does this mean 6 release isn't=20 > effected? With all FreeBSD advisories, they only apply to releases made prior to the date of release. This means that FreeBSD 6, 7, 8, 9 and 10, which were not released prior to the advisory, are all not affected by old security issues :-) Kris --ZPt4rx8FFjLCG7dd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDgQGHWry0BWjoQKURAn3OAKDNK+yfeqQQzzgVAjxbul55jNDyGACfU/gH gX+69O6+wvK1z61ULpizmLs= =tUq+ -----END PGP SIGNATURE----- --ZPt4rx8FFjLCG7dd-- From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 08:33:15 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7A7816A41F for ; Mon, 21 Nov 2005 08:33:15 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from crivens.unixoid.de (crivens.unixoid.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D1D643D45 for ; Mon, 21 Nov 2005 08:33:15 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.unixoid.de (Postfix) with ESMTP id 777E23F04; Mon, 21 Nov 2005 09:33:13 +0100 (CET) Received: from crivens.unixoid.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14171-10; Mon, 21 Nov 2005 09:33:09 +0100 (CET) Received: from [10.38.0.120] (unknown [212.12.51.89]) by crivens.unixoid.de (Postfix) with ESMTP id 174DD3EF9; Mon, 21 Nov 2005 09:33:09 +0100 (CET) Message-ID: <43818643.5000206@kernel32.de> Date: Mon, 21 Nov 2005 09:33:07 +0100 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ray@redshift.com References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> In-Reply-To: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at unixoid.de Cc: Timothy Smith , freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 08:33:16 -0000 Hi there, ray@redshift.com wrote: > > Also, if you have access to the router, it's handy to re-write traffic from a > higher public port down to port 22 on the server, since that will trip up anyone > doing scans looking for a connect on port 22 across a large number of IP's. > No. That's security by obscurity and doesn't make your system even a wee bit more secure. Disable root login via ssh (like already mentioned), enforce public-key authentication and maybe even go with OPIE. > Anyway, just a couple of ideas I thought might be helpful while on the subject > of SSH hardening :-) > all of them were about hardening, except the security by obscurity "put-the-sshd-on-another-port" advice ;) don't do that. Regards, Marian From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 08:52:27 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B467716A41F for ; Mon, 21 Nov 2005 08:52:27 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from mail24.syd.optusnet.com.au (mail24.syd.optusnet.com.au [211.29.133.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id E37E443D49 for ; Mon, 21 Nov 2005 08:52:26 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236]) by mail24.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id jAL8qMH0020136 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 21 Nov 2005 19:52:24 +1100 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1]) by cirb503493.alcatel.com.au (8.12.10/8.12.10) with ESMTP id jAL8qMHh004597; Mon, 21 Nov 2005 19:52:22 +1100 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost) by cirb503493.alcatel.com.au (8.12.10/8.12.9/Submit) id jAL8qLiD004596; Mon, 21 Nov 2005 19:52:22 +1100 (EST) (envelope-from pjeremy) Date: Mon, 21 Nov 2005 19:52:21 +1100 From: Peter Jeremy To: Marian Hettwer Message-ID: <20051121085221.GA4267@cirb503493.alcatel.com.au> References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <43818643.5000206@kernel32.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43818643.5000206@kernel32.de> User-Agent: Mutt/1.4.2.1i X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc Cc: freebsd-security@freebsd.org, ray@redshift.com Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 08:52:27 -0000 On Mon, 2005-Nov-21 09:33:07 +0100, Marian Hettwer wrote: >ray@redshift.com wrote: >>Also, if you have access to the router, it's handy to re-write >>traffic from a higher public port down to port 22 on the server, >>since that will trip up anyone doing scans looking for a connect on >>port 22 across a large number of IP's. >> >No. That's security by obscurity and doesn't make your system even a wee >bit more secure. It depends what you are guarding against. If someone wants to get into _your_ system then it's worthless. OTOH, "you don't have to run faster than the bear, just faster than someone else": Moving your ssh access off port 22 means that someone doing a network scan of port 22 won't see your system. This is reasonable protection against script kiddies. Definitely, don't rely on it as your only security. But, IMHO, it is worth doing in addition to other security measures. -- Peter Jeremy From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 09:16:04 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04D5416A41F for ; Mon, 21 Nov 2005 09:16:04 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from crivens.unixoid.de (crivens.unixoid.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80F0343D46 for ; Mon, 21 Nov 2005 09:16:03 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.unixoid.de (Postfix) with ESMTP id 033233F02; Mon, 21 Nov 2005 10:16:00 +0100 (CET) Received: from crivens.unixoid.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14171-14; Mon, 21 Nov 2005 10:15:55 +0100 (CET) Received: from [10.38.0.120] (unknown [212.12.51.89]) by crivens.unixoid.de (Postfix) with ESMTP id 7FBBD3EFF; Mon, 21 Nov 2005 10:15:55 +0100 (CET) Message-ID: <43819049.5090107@kernel32.de> Date: Mon, 21 Nov 2005 10:15:53 +0100 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Jeremy References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <43818643.5000206@kernel32.de> <20051121085221.GA4267@cirb503493.alcatel.com.au> In-Reply-To: <20051121085221.GA4267@cirb503493.alcatel.com.au> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at unixoid.de Cc: freebsd-security@freebsd.org, ray@redshift.com Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 09:16:04 -0000 Hi there, Peter Jeremy wrote: > On Mon, 2005-Nov-21 09:33:07 +0100, Marian Hettwer wrote: > >>ray@redshift.com wrote: >> >>>Also, if you have access to the router, it's handy to re-write >>>traffic from a higher public port down to port 22 on the server, >>>since that will trip up anyone doing scans looking for a connect on >>>port 22 across a large number of IP's. >>> >> >>No. That's security by obscurity and doesn't make your system even a wee >>bit more secure. > > > It depends what you are guarding against. If someone wants to get into > _your_ system then it's worthless. OTOH, "you don't have to run faster > than the bear, just faster than someone else": Moving your ssh access > off port 22 means that someone doing a network scan of port 22 won't > see your system. This is reasonable protection against script kiddies. > Where is the protection, or rather the danger in being "visible" to script kiddis? There's no security issue valid for script kiddis which wouldn't be valid for any other attacker too. The main question is: Where is the danger in script kiddies with their brute force attacks? I guess it's mainly the annoying fact that your logfile get's unreadable. If that's the problem: use logsurfer or something similar to analyze the logfile. You just don't get more secure by moving the sshd to a different port than port 22. It's like saying "I block pings" (which probably means, hopefully, just blocking ICMP ECHO_REPLY and not ICMP alltogehter), so script kiddy can "see" my box. Crap, it won't help you and doesn't make your system more secure :-) > Definitely, don't rely on it as your only security. But, IMHO, it is > worth doing in addition to other security measures. I still disagree :) It doesn't make your setup more secure. Not a bit. It may keep your logfiles a bit cleaner, but there are other ways to accomplish that. Just my opinion, of course :) - Marian From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 10:10:22 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05D3E16A41F for ; Mon, 21 Nov 2005 10:10:22 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from crivens.unixoid.de (crivens.unixoid.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86F5843D55 for ; Mon, 21 Nov 2005 10:10:21 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.unixoid.de (Postfix) with ESMTP id ACA913F03; Mon, 21 Nov 2005 11:10:15 +0100 (CET) Received: from crivens.unixoid.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14171-20; Mon, 21 Nov 2005 11:10:10 +0100 (CET) Received: from [10.38.0.120] (unknown [212.12.51.89]) by crivens.unixoid.de (Postfix) with ESMTP id E9EF43EE1; Mon, 21 Nov 2005 11:10:09 +0100 (CET) Message-ID: <43819CFF.7010608@kernel32.de> Date: Mon, 21 Nov 2005 11:10:07 +0100 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bitbucket References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com><43818643.5000206@kernel32.de><20051121085221.GA4267@cirb503493.alcatel.com.au> <43819049.5090107@kernel32.de> <003201c5ee82$920aaee0$6501a8c0@llama> In-Reply-To: <003201c5ee82$920aaee0$6501a8c0@llama> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at unixoid.de Cc: freebsd-security@freebsd.org, ray@redshift.com Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 10:10:22 -0000 Hej there, Bitbucket wrote: > > I agree that this is not good security. It does NOT make your system more > secure. ack :) > But I stop should of saying it should not be done as I can see no > detremental effect to changing the port number. If it makes you sleep > better at night then do it. It cannot hurt. Just dont RELY on it. > Well, it wouldn't make me sleep better at nights, since I know that there's an unpatched sshd out there. And even if it would be on another port, a non-Script-Kiddy could break in easily. Apart from avoiding security by obscurity, you're right, you can do it. If I'm responsible for several dozen of boxes out there, I still couldn't sleep at night, even though the sshd might be on another port than 22 :) Perhaps it winds down to: Do it on your private box, don't do it "at work" :) regards, Marian From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 11:20:15 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3906916A41F for ; Mon, 21 Nov 2005 11:20:15 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id B65D043D46 for ; Mon, 21 Nov 2005 11:20:14 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 780B92085; Mon, 21 Nov 2005 12:20:09 +0100 (CET) X-Spam-Tests: AWL,BAYES_00,FORGED_RCVD_HELO X-Spam-Learn: ham X-Spam-Score: -3.4/3.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on tim.des.no Received: from xps.des.no (des.no [80.203.243.180]) by tim.des.no (Postfix) with ESMTP id 617842083; Mon, 21 Nov 2005 12:20:09 +0100 (CET) Received: by xps.des.no (Postfix, from userid 1001) id 28FCD33C1D; Mon, 21 Nov 2005 12:20:09 +0100 (CET) To: Brian Reichert References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> <20051117155429.GD38047@numachi.com> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Mon, 21 Nov 2005 12:20:09 +0100 In-Reply-To: <20051117155429.GD38047@numachi.com> (Brian Reichert's message of "Thu, 17 Nov 2005 10:54:29 -0500") Message-ID: <864q66l02e.fsf@xps.des.no> User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Mark Jayson Alvarez Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 11:20:15 -0000 Brian Reichert writes: > I had a 4.9 box compromised though the ssh install (I'm certain it > wasn't openssh, but the base install), and was running an irc server > itself. OpenSSH has been part of the base system since 4.0. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 12:26:55 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AF2416A41F for ; Mon, 21 Nov 2005 12:26:55 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp2-g19.free.fr (smtp2-g19.free.fr [212.27.42.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7FED43D46 for ; Mon, 21 Nov 2005 12:26:54 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp2-g19.free.fr (Postfix) with ESMTP id 6F9BF52362; Mon, 21 Nov 2005 13:26:53 +0100 (CET) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 6E08F405A; Mon, 21 Nov 2005 13:26:21 +0100 (CET) Date: Mon, 21 Nov 2005 13:26:21 +0100 From: Jeremie Le Hen To: Marian Hettwer Message-ID: <20051121122621.GA5197@obiwan.tataz.chchile.org> References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <43818643.5000206@kernel32.de> <20051121085221.GA4267@cirb503493.alcatel.com.au> <43819049.5090107@kernel32.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43819049.5090107@kernel32.de> User-Agent: Mutt/1.5.11 Cc: Peter Jeremy , ray@redshift.com, freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 12:26:55 -0000 Hi, Marian, > Where is the protection, or rather the danger in being "visible" to > script kiddis? There's no security issue valid for script kiddis which > wouldn't be valid for any other attacker too. > The main question is: Where is the danger in script kiddies with their > brute force attacks? > I guess it's mainly the annoying fact that your logfile get's > unreadable. If that's the problem: use logsurfer or something similar to > analyze the logfile. > You just don't get more secure by moving the sshd to a different port > than port 22. Security is not absolute, as you surely know considering the fact you seem to be quite sensitive to it. I guess that most of running sshd(8) are bound to port tcp/22. If a group of hackers find a hole in OpenSSH's sshd(8) implementation in a very early stage of the connection (IOW before authentication) but do not disclose it - and only God knows how many undisclosed holes there are - then one can figure they want to avail themselves of this hole by working in collaboration with spammers or whatever. The best way they can work for this purpose is creating a massive exploitation tool in order to install as much spam agents as they can, before the hole is disclosed. Not having your sshd(8) bound to port 22 would save you from being exploited in this case. Of course, if this particular group of hackers wants to defeat _your_ network, this measure won't prevent them from exploiting your sshd(8). There is no need to involve kiddies, given that the tools they are using would surely appear far after the correction of the hole in the next OpenSSH release and all serious network administrators would have upgraded their boxes. Please, don't turn this thread into a troll. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 12:30:08 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 291D716A41F for ; Mon, 21 Nov 2005 12:30:08 +0000 (GMT) (envelope-from ray@redshift.com) Received: from outgoing.redshift.com (outgoing.redshift.com [207.177.231.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id E377D43D4C for ; Mon, 21 Nov 2005 12:30:07 +0000 (GMT) (envelope-from ray@redshift.com) Received: from workstation (216-228-19-21.dsl.redshift.com [216.228.19.21]) by outgoing.redshift.com (Postfix) with SMTP id 2FDD297DDE; Mon, 21 Nov 2005 04:30:07 -0800 (PST) Message-Id: <3.0.1.32.20051121043004.00aa1490@pop.redshift.com> X-Mailer: na X-Sender: redshift.com Date: Mon, 21 Nov 2005 04:30:04 -0800 To: Marian Hettwer From: ray@redshift.com In-Reply-To: <43818643.5000206@kernel32.de> References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <3.0.1.32.20051117232057.00a96750@pop.redshift.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: Timothy Smith , freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 12:30:08 -0000 At 09:33 AM 11/21/2005 +0100, Marian Hettwer wrote: | Hi there, | | ray@redshift.com wrote: | > | > Also, if you have access to the router, it's handy to re-write traffic from a | > higher public port down to port 22 on the server, since that will trip up anyone | > doing scans looking for a connect on port 22 across a large number of IP's. | > | No. That's security by obscurity and doesn't make your system even a wee | bit more secure. | Disable root login via ssh (like already mentioned), enforce public-key | authentication and maybe even go with OPIE. | | > Anyway, just a couple of ideas I thought might be helpful while on the subject | > of SSH hardening :-) | > | all of them were about hardening, except the security by obscurity | "put-the-sshd-on-another-port" advice ;) | don't do that. | | Regards, | Marian Okay, I'll give you that. However, if someone was only scanning port 22, then it would help keep you out of the scan :) Ray From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 12:32:43 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6DCA16A41F for ; Mon, 21 Nov 2005 12:32:43 +0000 (GMT) (envelope-from ray@redshift.com) Received: from outgoing.redshift.com (outgoing.redshift.com [207.177.231.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id D229D43D60 for ; Mon, 21 Nov 2005 12:32:41 +0000 (GMT) (envelope-from ray@redshift.com) Received: from workstation (216-228-19-21.dsl.redshift.com [216.228.19.21]) by outgoing.redshift.com (Postfix) with SMTP id ED5B697DD1; Mon, 21 Nov 2005 04:32:40 -0800 (PST) Message-Id: <3.0.1.32.20051121043238.00aa1490@pop.redshift.com> X-Mailer: na X-Sender: redshift.com Date: Mon, 21 Nov 2005 04:32:38 -0800 To: Peter Jeremy , Marian Hettwer From: ray@redshift.com In-Reply-To: <20051121085221.GA4267@cirb503493.alcatel.com.au> References: <43818643.5000206@kernel32.de> <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <43818643.5000206@kernel32.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 12:32:44 -0000 At 07:52 PM 11/21/2005 +1100, Peter Jeremy wrote: | On Mon, 2005-Nov-21 09:33:07 +0100, Marian Hettwer wrote: | >ray@redshift.com wrote: | >>Also, if you have access to the router, it's handy to re-write | >>traffic from a higher public port down to port 22 on the server, | >>since that will trip up anyone doing scans looking for a connect on | >>port 22 across a large number of IP's. | >> | >No. That's security by obscurity and doesn't make your system even a wee | >bit more secure. | | It depends what you are guarding against. If someone wants to get into | _your_ system then it's worthless. OTOH, "you don't have to run faster | than the bear, just faster than someone else": Moving your ssh access | off port 22 means that someone doing a network scan of port 22 won't | see your system. This is reasonable protection against script kiddies. | | Definitely, don't rely on it as your only security. But, IMHO, it is | worth doing in addition to other security measures. | -- | Peter Jeremy Thanks Peter. That was my thinking also. In other words, not as a replacement for anything else, but just in case someone out there was specifically scanning a lot of IP's on just port 22. Someone doing that sort of targeted scanning would make me nervous and I would want to do anything to avoid them. If someone was scanning "just for port 22 connects", my thinking was they probably had additional tools to go after any connects on those ports. Those aren't the sort of people I want to make scanning easy for :) Ray From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 12:37:27 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74B7E16A41F for ; Mon, 21 Nov 2005 12:37:27 +0000 (GMT) (envelope-from ray@redshift.com) Received: from outgoing.redshift.com (outgoing.redshift.com [207.177.231.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CA2643D49 for ; Mon, 21 Nov 2005 12:37:27 +0000 (GMT) (envelope-from ray@redshift.com) Received: from workstation (216-228-19-21.dsl.redshift.com [216.228.19.21]) by outgoing.redshift.com (Postfix) with SMTP id 2BB5B97A3A; Mon, 21 Nov 2005 04:37:26 -0800 (PST) Message-Id: <3.0.1.32.20051121043723.00aa1490@pop.redshift.com> X-Mailer: na X-Sender: redshift.com Date: Mon, 21 Nov 2005 04:37:23 -0800 To: Marian Hettwer , Peter Jeremy From: ray@redshift.com In-Reply-To: <43819049.5090107@kernel32.de> References: <20051121085221.GA4267@cirb503493.alcatel.com.au> <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <43818643.5000206@kernel32.de> <20051121085221.GA4267@cirb503493.alcatel.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 12:37:27 -0000 At 10:15 AM 11/21/2005 +0100, Marian Hettwer wrote: | Hi there, | | Peter Jeremy wrote: | > On Mon, 2005-Nov-21 09:33:07 +0100, Marian Hettwer wrote: | > | >>ray@redshift.com wrote: | >> | >>>Also, if you have access to the router, it's handy to re-write | >>>traffic from a higher public port down to port 22 on the server, | >>>since that will trip up anyone doing scans looking for a connect on | >>>port 22 across a large number of IP's. | >>> | >> | >>No. That's security by obscurity and doesn't make your system even a wee | >>bit more secure. | > | > | > It depends what you are guarding against. If someone wants to get into | > _your_ system then it's worthless. OTOH, "you don't have to run faster | > than the bear, just faster than someone else": Moving your ssh access | > off port 22 means that someone doing a network scan of port 22 won't | > see your system. This is reasonable protection against script kiddies. | > | Where is the protection, or rather the danger in being "visible" to | script kiddis? There's no security issue valid for script kiddis which | wouldn't be valid for any other attacker too. | The main question is: Where is the danger in script kiddies with their | brute force attacks? | I guess it's mainly the annoying fact that your logfile get's | unreadable. If that's the problem: use logsurfer or something similar to | analyze the logfile. | You just don't get more secure by moving the sshd to a different port | than port 22. The point isn't to get more secure. You are correct by saying that moving the port # doesn't make anything more secure. But why make it easy for someone that might be doing a scan to find your SSH prompt during a scan that may be focused on ports 21, 22, 25, 80 and 110? Along these same lines, we used to even re-compile sshd and remove the welcome message/version number in the connect. I know there are two schools of thought on broadcasting your version numbers on connections, but in the mid 90's, we did do that from time to time. Anyway, to each their own :) Ray From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 12:39:08 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB07316A41F; Mon, 21 Nov 2005 12:39:08 +0000 (GMT) (envelope-from avg@icyb.net.ua) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FC5D43D77; Mon, 21 Nov 2005 12:39:04 +0000 (GMT) (envelope-from avg@icyb.net.ua) Received: from [212.40.38.87] (oddity-e.topspin.kiev.ua [212.40.38.87]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id OAA03665; Mon, 21 Nov 2005 14:38:58 +0200 (EET) (envelope-from avg@icyb.net.ua) Message-ID: <4381BFE2.80106@icyb.net.ua> Date: Mon, 21 Nov 2005 14:38:58 +0200 From: Andriy Gapon User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051016) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org, freebsd-fs@freebsd.org Content-Type: text/plain; charset=KOI8-U Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 21 Nov 2005 12:55:20 +0000 Cc: Subject: mount -u -r drops nosuid ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 12:39:09 -0000 Not sure if this is a bug or a feature, but it seems like potential security risk: I have a ufs fs mounted rw+nosuid, then I needed to downgrade it to ro, so I executed mount -u -r on it - imagine my surpise when I found that nosuid flag was removed as well. I know I could have used mount -u -r -o nosuid, but the present behavior seems to be non-obvious (update one flag, orthogonal flags dropped as well) and dangerously so. System is 5.4-RELEASE-p3 i386 -- Andriy Gapon From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 13:14:14 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B226816A41F for ; Mon, 21 Nov 2005 13:14:14 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from crivens.unixoid.de (crivens.unixoid.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EEFB43D45 for ; Mon, 21 Nov 2005 13:14:14 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.unixoid.de (Postfix) with ESMTP id 90A603EFF; Mon, 21 Nov 2005 14:14:12 +0100 (CET) Received: from crivens.unixoid.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31359-16; Mon, 21 Nov 2005 14:14:07 +0100 (CET) Received: from [10.38.0.120] (unknown [212.12.51.89]) by crivens.unixoid.de (Postfix) with ESMTP id 6A3353EE1; Mon, 21 Nov 2005 14:14:07 +0100 (CET) Message-ID: <4381C81C.4080907@kernel32.de> Date: Mon, 21 Nov 2005 14:14:04 +0100 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jeremie Le Hen References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <43818643.5000206@kernel32.de> <20051121085221.GA4267@cirb503493.alcatel.com.au> <43819049.5090107@kernel32.de> <20051121122621.GA5197@obiwan.tataz.chchile.org> In-Reply-To: <20051121122621.GA5197@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at unixoid.de Cc: Peter Jeremy , ray@redshift.com, freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 13:14:14 -0000 Hi Jeremie, Jeremie Le Hen wrote: > Hi, Marian, > > > > Security is not absolute, as you surely know considering the fact you > seem to be quite sensitive to it. I guess that most of running sshd(8) > are bound to port tcp/22. If a group of hackers find a hole in > OpenSSH's sshd(8) implementation in a very early stage of the > connection (IOW before authentication) but do not disclose it - and > only God knows how many undisclosed holes there are - then one can > figure they want to avail themselves of this hole by working in > collaboration with spammers or whatever. The best way they can work > for this purpose is creating a massive exploitation tool in order to > install as much spam agents as they can, before the hole is disclosed. > Not having your sshd(8) bound to port 22 would save you from being > exploited in this case. > you're right with that assumption. And yes, given the above scenario, letting the sshd run on a different port would help. However, your scenario counts to any daemon listening on any port. What would you like to do? Moving httpd, smtpd and whoever to another port? :) I'd rather say, use any tools available within FreeBSD to make your box as secure as you need it to be. I'm thinking of fine things like kern.securelevel for instance :) > Of course, if this particular group of hackers wants to defeat _your_ > network, this measure won't prevent them from exploiting your sshd(8). > right. > There is no need to involve kiddies, given that the tools they are > using would surely appear far after the correction of the hole in the > next OpenSSH release and all serious network administrators would have > upgraded their boxes. > Being confident that the OpenSSH guys are good developers too, I'm not that much afraid of the hackers you mentioned above (and of course no script-kiddies either) :-) > Please, don't turn this thread into a troll. > It's definetly not my intenion to troll. If somebody thinks that I do, I'm sorry in advance. I just have the strong feeling that moving a daemon to another port (where it doesn't belong) won't gain any security. best regards, Marian From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 13:16:57 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5923C16A41F for ; Mon, 21 Nov 2005 13:16:57 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from crivens.unixoid.de (crivens.unixoid.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCA1D43D45 for ; Mon, 21 Nov 2005 13:16:54 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.unixoid.de (Postfix) with ESMTP id 67CBB3EFF; Mon, 21 Nov 2005 14:16:53 +0100 (CET) Received: from crivens.unixoid.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31359-17; Mon, 21 Nov 2005 14:16:48 +0100 (CET) Received: from [10.38.0.120] (unknown [212.12.51.89]) by crivens.unixoid.de (Postfix) with ESMTP id 908BA3EE1; Mon, 21 Nov 2005 14:16:48 +0100 (CET) Message-ID: <4381C8BD.2050304@kernel32.de> Date: Mon, 21 Nov 2005 14:16:45 +0100 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ray@redshift.com References: <20051121085221.GA4267@cirb503493.alcatel.com.au> <3.0.1.32.20051117232057.00a96750@pop.redshift.com> <43818643.5000206@kernel32.de> <20051121085221.GA4267@cirb503493.alcatel.com.au> <3.0.1.32.20051121043723.00aa1490@pop.redshift.com> In-Reply-To: <3.0.1.32.20051121043723.00aa1490@pop.redshift.com> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at unixoid.de Cc: Peter Jeremy , freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 13:16:57 -0000 Hej Ray, ray@redshift.com wrote: > > The point isn't to get more secure. You are correct by saying that moving the Hu. I thought the point was to get more security. If it's more about "stealth", okay, move the daemon to another port :) > port # doesn't make anything more secure. But why make it easy for someone that > might be doing a scan to find your SSH prompt during a scan that may be focused > on ports 21, 22, 25, 80 and 110? > Of course it's a bit harder to find your sshd, if it's not running on tcp/22. And maybe, an automated script won't find the sshd. A human being will, indeed, find the sshd pretty quick. Take any port which responds with an SYN-ACK to your SYN and of you go on that port with telnet... > Along these same lines, we used to even re-compile sshd and remove the welcome > message/version number in the connect. I know there are two schools of thought > on broadcasting your version numbers on connections, but in the mid 90's, we did > do that from time to time. > And if you don't get the ssh banner, it might get harder now :-) > Anyway, to each their own :) > ack. Marian From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 13:43:44 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D26E16A420 for ; Mon, 21 Nov 2005 13:43:44 +0000 (GMT) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from mail26.sea5.speakeasy.net (mail26.sea5.speakeasy.net [69.17.117.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1515C43D49 for ; Mon, 21 Nov 2005 13:43:44 +0000 (GMT) (envelope-from freebsd-security-local@be-well.ilk.org) Received: (qmail 26281 invoked from network); 21 Nov 2005 13:43:43 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail26.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 21 Nov 2005 13:43:43 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id 81D972841B; Mon, 21 Nov 2005 08:43:42 -0500 (EST) Sender: lowell@be-well.ilk.org To: Andriy Gapon References: <4381BFE2.80106@icyb.net.ua> From: Lowell Gilbert Date: 21 Nov 2005 08:43:42 -0500 In-Reply-To: <4381BFE2.80106@icyb.net.ua> Message-ID: <44sltqxgj5.fsf@be-well.ilk.org> Lines: 18 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org Subject: Re: mount -u -r drops nosuid ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 13:43:44 -0000 Andriy Gapon writes: > Not sure if this is a bug or a feature, but it seems like potential > security risk: I have a ufs fs mounted rw+nosuid, then I needed to > downgrade it to ro, so I executed mount -u -r on it - imagine my surpise > when I found that nosuid flag was removed as well. I know I could have > used mount -u -r -o nosuid, but the present behavior seems to be > non-obvious (update one flag, orthogonal flags dropped as well) and > dangerously so. > > System is 5.4-RELEASE-p3 i386 The behaviour is explicitly documented. I think it is safer (less room to shoot yourself in the foot) to have the flags be exactly the ones you specified in the remount (no more, no less) than to have to know exactly what the state was beforehand. But clearly it's possible to surprise the operator either way. From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 13:51:23 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B10F316A41F for ; Mon, 21 Nov 2005 13:51:23 +0000 (GMT) (envelope-from sergey@kovalev.com.ru) Received: from cp29.agava.net (cp29.agava.net [81.177.7.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FAE343D45 for ; Mon, 21 Nov 2005 13:51:22 +0000 (GMT) (envelope-from sergey@kovalev.com.ru) Received: from drweb by cp29.agava.net with drweb-scanned (Exim 4.44 (FreeBSD)) id 1EeC4e-0001Ga-9F; Mon, 21 Nov 2005 16:51:12 +0300 Received: from [213.152.157.43] (helo=[192.168.1.44]) by cp29.agava.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.44 (FreeBSD)) id 1EeC4d-0001F9-UY; Mon, 21 Nov 2005 16:51:12 +0300 Message-ID: <4381D108.6030803@kovalev.com.ru> Date: Mon, 21 Nov 2005 16:52:08 +0300 From: Sergey Kovalev User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051113) X-Accept-Language: en-us, en MIME-Version: 1.0 To: timothy@open-networks.net Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - cp29.agava.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [426 426] / [26 6] X-AntiAbuse: Sender Address Domain - kovalev.com.ru X-Source: X-Source-Args: X-Source-Dir: Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD-SA-05:21.openssl and 6.0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 13:51:23 -0000 > FreeBSD-SA-05:21.openssl.asc lists this advisory as for all releases, > yet the patch only applies up to 5.4 ? does this mean 6 release isn't > effected? > uname -a FreeBSD support1.domain 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386 > grep -A 1 "FreeBSD-SA-05:21.openssl.asc" /usr/src/UPDATING 20051011: FreeBSD-SA-05:21.openssl Correct a man-in-the-middle SSL version rollback vulnerability. From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 14:01:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 117A016A41F for ; Mon, 21 Nov 2005 14:01:48 +0000 (GMT) (envelope-from danny@dannysplace.net) Received: from mailrelay01.solcon.nl (maillb.solcon.nl [212.45.32.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75C4F43D53 for ; Mon, 21 Nov 2005 14:01:46 +0000 (GMT) (envelope-from danny@dannysplace.net) Received: from llama (dsl-213-233-246-022.solcon.nl [213.233.246.22]) by mailrelay01.solcon.nl (8.12.11/SQL-8.12.11-5/8.12.11) with SMTP id jALE1gI2032373; Mon, 21 Nov 2005 15:01:42 +0100 Message-ID: <00dd01c5eea4$1bb178b0$6501a8c0@llama> From: "Danny Carroll" To: "Marian Hettwer" , "Jeremie Le Hen" References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com><43818643.5000206@kernel32.de><20051121085221.GA4267@cirb503493.alcatel.com.au><43819049.5090107@kernel32.de><20051121122621.GA5197@obiwan.tataz.chchile.org> <4381C81C.4080907@kernel32.de> Date: Mon, 21 Nov 2005 15:01:45 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on mailrelay01 X-Virus-Status: Clean X-Mailman-Approved-At: Mon, 21 Nov 2005 14:02:16 +0000 Cc: Peter Jeremy , ray@redshift.com, freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 14:01:48 -0000 > you're right with that assumption. And yes, given the above scenario, > letting the sshd run on a different port would help. However, your > scenario counts to any daemon listening on any port. What would you like > to do? Moving httpd, smtpd and whoever to another port? :) > I'd rather say, use any tools available within FreeBSD to make your box > as secure as you need it to be. I'm thinking of fine things like > kern.securelevel for instance :) But sshd can be moved without problem. Moving httpd or worse, sendmail would break things. Also, I dont think anyone here would suggest that this is a replacement of other good security practices, such as those you mention, only something to add to if you wish. > Being confident that the OpenSSH guys are good developers too, I'm not > that much afraid of the hackers you mentioned above (and of course no > script-kiddies either) :-) Just because they are good, does not mean they dont make mistakes. > It's definetly not my intenion to troll. If somebody thinks that I do, > I'm sorry in advance. I just have the strong feeling that moving a > daemon to another port (where it doesn't belong) won't gain any security. The point here is, there are not ill effects from moving it, and possibly, in some cases actually prevent a break in. It might not be necessary for 99.99% of the time but if it saves you once, then its paid for itself. -D From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 16:17:06 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6491716A41F for ; Mon, 21 Nov 2005 16:17:06 +0000 (GMT) (envelope-from reichert@numachi.com) Received: from meisai.numachi.com (meisai.numachi.com [198.175.254.6]) by mx1.FreeBSD.org (Postfix) with SMTP id 0CE3843D53 for ; Mon, 21 Nov 2005 16:17:04 +0000 (GMT) (envelope-from reichert@numachi.com) Received: (qmail 4763 invoked from network); 21 Nov 2005 16:17:01 -0000 Received: from natto.numachi.com (198.175.254.216) by meisai.numachi.com with SMTP; 21 Nov 2005 16:17:01 -0000 Received: (qmail 68378 invoked by uid 1001); 21 Nov 2005 16:16:59 -0000 Date: Mon, 21 Nov 2005 11:16:59 -0500 From: Brian Reichert To: Dag-Erling Sm?rgrav Message-ID: <20051121161659.GB48887@numachi.com> References: <20051117012552.46503.qmail@web51607.mail.yahoo.com> <20051117155429.GD38047@numachi.com> <864q66l02e.fsf@xps.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <864q66l02e.fsf@xps.des.no> User-Agent: Mutt/1.5.10i Cc: freebsd-security@freebsd.org, Mark Jayson Alvarez Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 16:17:06 -0000 On Mon, Nov 21, 2005 at 12:20:09PM +0100, Dag-Erling Sm?rgrav wrote: > Brian Reichert writes: > > I had a 4.9 box compromised though the ssh install (I'm certain it > > wasn't openssh, but the base install), and was running an irc server > > itself. > > OpenSSH has been part of the base system since 4.0. Ah, then perhaps the issue was the vesion of openssh that part of the base system, as opposed to the actively maintained port. Whatever; it only happened the once, and I've learned to keep a tighter watch on such issues... > DES > -- > Dag-Erling Sm?rgrav - des@des.no -- Brian Reichert 55 Crystal Ave. #286 Daytime number: (603) 434-6842 Derry NH 03038-1725 USA BSD admin/developer at large From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 16:35:23 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A195216A41F for ; Mon, 21 Nov 2005 16:35:23 +0000 (GMT) (envelope-from dtalk-ml@prairienet.org) Received: from flyingjoke.org (soggy88.drizzle.com [216.162.199.88]) by mx1.FreeBSD.org (Postfix) with SMTP id 808F743D66 for ; Mon, 21 Nov 2005 16:35:15 +0000 (GMT) (envelope-from dtalk-ml@prairienet.org) Received: (qmail 15702 invoked from network); 21 Nov 2005 16:35:29 -0000 Received: from atlantis.flyingjoke.org (192.168.1.8) by atlantis.flyingjoke.org with SMTP; 21 Nov 2005 16:35:29 -0000 Date: Mon, 21 Nov 2005 08:35:09 -0800 (PST) From: dtalk-ml@prairienet.org X-X-Sender: dtalk@atlantis.flyingjoke.org To: Danny Carroll In-Reply-To: <00dd01c5eea4$1bb178b0$6501a8c0@llama> Message-ID: References: <3.0.1.32.20051117232057.00a96750@pop.redshift.com><43818643.5000206@kernel32.de><20051121085221.GA4267@cirb503493.alcatel.com.au><43819049.5090107@kernel32.de><20051121122621.GA5197@obiwan.tataz.chchile.org> <4381C81C.4080907@kernel32.de> <00dd01c5eea4$1bb178b0$6501a8c0@llama> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Peter Jeremy , ray@redshift.com, Jeremie Le Hen , Marian Hettwer , freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dtalk-ml@prairienet.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 16:35:23 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Danny Carroll wrote: > But sshd can be moved without problem. It's not a cost-free solution, because there are support consequences. Users don't like change. Fortunately for us, we control their client configurations, so it's invisible to them. >> I just have the strong feeling that moving a daemon to another port >> (where it doesn't belong) won't gain any security. On 22, I used to get many, sometimes many thousands, of brute force password attempts per day. After moving to a higher port, I get zero. Mathematics tells me that makes it less likely that one of my user accounts will get whacked. It also raises the signal to noise ratio and storage requirements of my logs dramatically. I'm sure no one here thinks obscurity is a substitute for proper configuration of good quality software. Nevertheless, real world experience shows quite clearly that the odds of an expensive compromise go down when I'm a little harder to find. The fact that this does nothing to slow down a targeted attack does not diminish the value of evading the entire population of drive-by bots. - -d - -- David Talkington dtalk-ml@prairienet.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDgfdQ5FKhdwBLj4sRApC2AKCQNAd1lpHSukrwtolbKtLplhQGrwCgpSuU xPnXD1Q2UTykKv2pCJHKE9I= =C79J -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 20:36:00 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BE2C16A41F for ; Mon, 21 Nov 2005 20:36:00 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from dsl.ephemeron.org (dsl092-035-072.lax1.dsl.speakeasy.net [66.92.35.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id E91B943D49 for ; Mon, 21 Nov 2005 20:35:51 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (root@home.fake.net [10.0.2.3]) by dsl.ephemeron.org (8.12.11/8.12.11) with ESMTP id jALKZkJ4077783; Mon, 21 Nov 2005 12:35:46 -0800 (PST) (envelope-from bigby@ephemeron.org) Received: from home.fake.net (bigby@home.fake.net [10.0.2.3]) by home.ephemeron.org (8.12.11/8.12.11) with ESMTP id jALKZiQc091729; Mon, 21 Nov 2005 12:35:44 -0800 (PST) (envelope-from bigby@ephemeron.org) Date: Mon, 21 Nov 2005 12:35:44 -0800 (PST) From: Bigby Findrake X-X-Sender: bigby@home.fake.net To: dtalk-ml@prairienet.org In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Peter Jeremy , ray@redshift.com, Danny Carroll , freebsd-security@freebsd.org, Jeremie Le Hen , Marian Hettwer Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 20:36:00 -0000 I'd just like to make a small contribution to this discussion. While most of us understand the merits and flaws of security through obscurity, I would like to point out the semantic fact that the phrase is, indeed, "security *through* obscurity", that while not flawless, obscurity is another path to security, that it is (more) difficult to attack the host you cannot see, (more) difficult to exploit the flaw you cannot detect, (more) difficult to connect to the daemon you do not know is listening. /-------------------------------------------------------------------------/ I was raised by a pack of wild corn dogs. finger://bigby@ephemeron.org http://www.ephemeron.org/~bigby/ news://news.ephemeron.org/alt.lemurs /-------------------------------------------------------------------------/ From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 20:42:41 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2033D16A41F for ; Mon, 21 Nov 2005 20:42:41 +0000 (GMT) (envelope-from sirmoo@cowbert.2y.net) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 502A043D53 for ; Mon, 21 Nov 2005 20:42:40 +0000 (GMT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 49213 invoked by uid 1001); 21 Nov 2005 20:42:39 -0000 Date: Mon, 21 Nov 2005 15:42:39 -0500 From: "Peter C. Lai" To: Bigby Findrake Message-ID: <20051121204239.GC326@cowbert.2y.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i Cc: dtalk-ml@prairienet.org, Peter Jeremy , ray@redshift.com, Danny Carroll , freebsd-security@freebsd.org, Jeremie Le Hen , Marian Hettwer Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 20:42:41 -0000 On Mon, Nov 21, 2005 at 12:35:44PM -0800, Bigby Findrake wrote: > I'd just like to make a small contribution to this discussion. > > While most of us understand the merits and flaws of security through > obscurity, I would like to point out the semantic fact that the phrase is, > indeed, "security *through* obscurity", that while not flawless, obscurity > is another path to security, that it is (more) difficult to attack the > host you cannot see, (more) difficult to exploit the flaw you cannot > detect, (more) difficult to connect to the daemon you do not know is > listening. > You can also couple this with port-knocking (or even just port-knocking on 22). > > > /-------------------------------------------------------------------------/ > I was raised by a pack of wild corn dogs. > > finger://bigby@ephemeron.org > http://www.ephemeron.org/~bigby/ > news://news.ephemeron.org/alt.lemurs > /-------------------------------------------------------------------------/ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Peter C. Lai Dept. of Neurobiology Yale University School of Medicine http://cowbert.2y.net/ From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 21:20:34 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 715EE16A41F; Mon, 21 Nov 2005 21:20:34 +0000 (GMT) (envelope-from fullermd@over-yonder.net) Received: from mail.localelinks.com (web.localelinks.com [65.170.254.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9168543D4C; Mon, 21 Nov 2005 21:20:19 +0000 (GMT) (envelope-from fullermd@over-yonder.net) Received: from draco.over-yonder.net (adsl-157-22-236.jan.bellsouth.net [70.157.22.236]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.localelinks.com (Postfix) with ESMTP id 2A22EDE; Mon, 21 Nov 2005 15:20:18 -0600 (CST) Received: by draco.over-yonder.net (Postfix, from userid 100) id E5B3561C1B; Mon, 21 Nov 2005 15:20:16 -0600 (CST) Date: Mon, 21 Nov 2005 15:20:16 -0600 From: "Matthew D. Fuller" To: Lowell Gilbert Message-ID: <20051121212016.GA66837@over-yonder.net> References: <4381BFE2.80106@icyb.net.ua> <44sltqxgj5.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44sltqxgj5.fsf@be-well.ilk.org> X-Editor: vi X-OS: FreeBSD User-Agent: Mutt/1.5.11-fullermd.2 Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, Andriy Gapon Subject: Re: mount -u -r drops nosuid ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 21:20:34 -0000 On Mon, Nov 21, 2005 at 08:43:42AM -0500 I heard the voice of Lowell Gilbert, and lo! it spake thus: > > I think it is safer (less room to shoot yourself in the foot) to > have the flags be exactly the ones you specified in the remount (no > more, no less) than to have to know exactly what the state was > beforehand. But clearly it's possible to surprise the operator > either way. This is where -o current comes in. -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ On the Internet, nobody can hear you scream. From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 22:42:42 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0EA316A41F; Mon, 21 Nov 2005 22:42:42 +0000 (GMT) (envelope-from sem@FreeBSD.org) Received: from core.inec.ru (core.inec.ru [213.148.3.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id C38A043D45; Mon, 21 Nov 2005 22:42:41 +0000 (GMT) (envelope-from sem@FreeBSD.org) Received: from [213.85.81.137] (helo=[192.168.0.4]) by core.inec.ru with esmtp (Exim 4.51 (FreeBSD)) id 1EeKM4-0008ib-EN; Tue, 22 Nov 2005 01:41:44 +0300 Message-ID: <43824D53.8010204@FreeBSD.org> Date: Tue, 22 Nov 2005 01:42:27 +0300 From: Sergey Matveychuk User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051113) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org, vsevolod@FreeBSD.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: chmlib: Major security fix for stack overflow vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 22:42:42 -0000 http://www.sven-tantau.de/public_files/chmlib/chmlib_20051126.txt Should be described in VuXML. And there was other major security fixes between 0.35 and 0.36. -- Sem. From owner-freebsd-security@FreeBSD.ORG Mon Nov 21 18:40:37 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC66D16A435; Mon, 21 Nov 2005 18:40:36 +0000 (GMT) (envelope-from avg@icyb.net.ua) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0780E43D62; Mon, 21 Nov 2005 18:40:32 +0000 (GMT) (envelope-from avg@icyb.net.ua) Received: from [212.40.38.87] (oddity-e.topspin.kiev.ua [212.40.38.87]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id UAA12875; Mon, 21 Nov 2005 20:40:24 +0200 (EET) (envelope-from avg@icyb.net.ua) Message-ID: <43821498.905@icyb.net.ua> Date: Mon, 21 Nov 2005 20:40:24 +0200 From: Andriy Gapon User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051016) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Lowell Gilbert References: <4381BFE2.80106@icyb.net.ua> <44sltqxgj5.fsf@be-well.ilk.org> In-Reply-To: <44sltqxgj5.fsf@be-well.ilk.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 22 Nov 2005 03:37:48 +0000 Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org Subject: Re: mount -u -r drops nosuid ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Nov 2005 18:40:37 -0000 on 21/11/2005 15:43 Lowell Gilbert said the following: > The behaviour is explicitly documented. > > I think it is safer (less room to shoot yourself in the foot) to have > the flags be exactly the ones you specified in the remount (no more, > no less) than to have to know exactly what the state was beforehand. > But clearly it's possible to surprise the operator either way. Actually, somebody (Vasiliy ) off the list tought me about -o current option to mount. Really useful, I wonder how I managed to not notice it so far. Thanks Vasily! -- Andriy Gapon From owner-freebsd-security@FreeBSD.ORG Tue Nov 22 18:27:03 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80FDC16A459 for ; Tue, 22 Nov 2005 18:27:03 +0000 (GMT) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E49343D53 for ; Tue, 22 Nov 2005 18:26:58 +0000 (GMT) (envelope-from marquis@roble.com) Date: Tue, 22 Nov 2005 10:26:58 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20051122120112.9D83516A423@hub.freebsd.org> Message-ID: <20051122075050.I81101@roble.com> References: <20051122120112.9D83516A423@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 18:27:03 -0000 ray@redshift.com wrote: >The point isn't to get more secure. You are correct by saying that >moving the port # doesn't make anything more secure. Actually the point _is_ security and changing the port number _does_ improve it significantly though only from one popular attack vector. Security by obscurity _does_ work and often very well just not in place of more substantive measures. In the case of sshd dictionary attacks those would be: 1) setting "MaxAuthTries 2", "Banner /etc/issue" and "PermitRootLogin no" in /etc/ssh/sshd_config, 2) running an sshd IDS that A) tests for '(for invalid user|Failed password for)', B) blacholes source hosts 'ipfw add deny ...', and C) alerts sysadmin or operations personnel, 3) making sure SSL and SSH are up to date (preferably via ports), 4) deleting the rc script, adding sshd to /etc/inetd.conf, and taking advantage of the rate controls, logging, and other excellent security features of FreeBSD's inetd. Hosts that don't have at least these 4 protections in place will reduce their exposure by moving sshd to a port other than 22. Hosts that do implement these protections will still benefit from changing the port but can lose some excellent logging. If possible keep the logs and either send them to the offending ISP or add to a local list of long-term blackholes. Obscurity is an important and wholly necessary part of the security toolkit. Take passwords for example. Defining a non-dictionary password is security by obscurity. It is, however, weak protection if you do not also log dictionary attacks and blackhole offenders before they can try many username/password pairs. ATM PINs are even weaker than passwords but are nevertheless adequate protection thanks to the fact that ~3 failed passwords will cause the account to be locked. Bruce Schneier looks at more areas on where security by obscurity works and where it doesn't in the May 2002 CRYPTO-GRAM . -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Tue Nov 22 19:10:51 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EA2E16A41F for ; Tue, 22 Nov 2005 19:10:51 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from crivens.unixoid.de (crivens.unixoid.de [81.169.171.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64A5343D53 for ; Tue, 22 Nov 2005 19:10:46 +0000 (GMT) (envelope-from MH@kernel32.de) Received: from localhost (localhost [127.0.0.1]) by crivens.unixoid.de (Postfix) with ESMTP id F17303F2F; Tue, 22 Nov 2005 20:10:38 +0100 (CET) Received: from crivens.unixoid.de ([127.0.0.1]) by localhost (crivens.unixoid.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27573-20; Tue, 22 Nov 2005 20:10:32 +0100 (CET) Received: from [10.38.0.120] (unknown [212.12.51.89]) by crivens.unixoid.de (Postfix) with ESMTP id 844073EDA; Tue, 22 Nov 2005 20:10:32 +0100 (CET) Message-ID: <43836D25.5000101@kernel32.de> Date: Tue, 22 Nov 2005 20:10:29 +0100 From: Marian Hettwer User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Roger Marquis References: <20051122120112.9D83516A423@hub.freebsd.org> <20051122075050.I81101@roble.com> In-Reply-To: <20051122075050.I81101@roble.com> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at unixoid.de Cc: freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 19:10:51 -0000 Hi Roger, Roger Marquis wrote: > ray@redshift.com wrote: > >> The point isn't to get more secure. You are correct by saying that >> moving the port # doesn't make anything more secure. > > > Actually the point _is_ security and changing the port number _does_ > improve it significantly though only from one popular attack vector. > > Security by obscurity _does_ work and often very well just not in > place of more substantive measures. In the case of sshd dictionary > attacks those would be: > > 1) setting "MaxAuthTries 2", "Banner /etc/issue" and > "PermitRootLogin no" in /etc/ssh/sshd_config, > good ideas! > 2) running an sshd IDS that A) tests for '(for invalid user|Failed > password for)', B) blacholes source hosts 'ipfw add deny ...', and > C) alerts sysadmin or operations personnel, > Be careful with adding ip addresses to deny via a packet filter. If an attacker uses spoofed IP adresses, you may produce yourself easily a denial of service attack. Say I used the IP address of your default gateway. If you don't check that and just add a deny rule... well... bad luck ;-) However, if being careful, using a packet filter to deny access for these attackers sounds like a very good way. > 3) making sure SSL and SSH are up to date (preferably via ports), > of course :) > 4) deleting the rc script, adding sshd to /etc/inetd.conf, and > taking advantage of the rate controls, logging, and other excellent > security features of FreeBSD's inetd. > full ack too. > Hosts that don't have at least these 4 protections in place will > reduce their exposure by moving sshd to a port other than 22. Hosts > that do implement these protections will still benefit from changing > the port but can lose some excellent logging. If possible keep the > logs and either send them to the offending ISP or add to a local > list of long-term blackholes. > > Obscurity is an important and wholly necessary part of the security > toolkit. Take passwords for example. Defining a non-dictionary > password is security by obscurity. It is, however, weak protection > if you do not also log dictionary attacks and blackhole offenders > before they can try many username/password pairs. ATM PINs are even > weaker than passwords but are nevertheless adequate protection > thanks to the fact that ~3 failed passwords will cause the account > to be locked. > > Bruce Schneier looks at more areas on where security by obscurity > works and where it doesn't in the May 2002 CRYPTO-GRAM > . > I definetly take a look into that paper :) thanks and best regards, Marian From owner-freebsd-security@FreeBSD.ORG Tue Nov 22 19:12:37 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11E2516A41F for ; Tue, 22 Nov 2005 19:12:37 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: from web30305.mail.mud.yahoo.com (web30305.mail.mud.yahoo.com [68.142.200.98]) by mx1.FreeBSD.org (Postfix) with SMTP id 91AAC43D78 for ; Tue, 22 Nov 2005 19:12:36 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 9868 invoked by uid 60001); 22 Nov 2005 19:12:30 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=LdhCKQ8IywqUwUSRN2+/p1aTW1hEFP3zVYN7xCsH0aELTYXnuacutWW6kx4zbF4i5GrNYLQY+pstBkev/8IA9ZB23y3vK7nqJBetZ1DhAl9NYMDv1MhTbCMi+3LLhi8VQUmUEqKZG23rG2jMEtJn0nvhPnG7uMgc8l6Soy5YSeY= ; Message-ID: <20051122191230.9866.qmail@web30305.mail.mud.yahoo.com> Received: from [213.54.79.72] by web30305.mail.mud.yahoo.com via HTTP; Tue, 22 Nov 2005 11:12:30 PST Date: Tue, 22 Nov 2005 11:12:30 -0800 (PST) From: Arne "Wörner" To: Roger Marquis , freebsd-security@freebsd.org In-Reply-To: <20051122075050.I81101@roble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 19:12:37 -0000 --- Roger Marquis wrote: > Obscurity is an important and wholly necessary part > of the security toolkit. Take passwords for example. > Defining a non-dictionary password is security by > obscurity. It is, however, weak protection if you > do not also log dictionary attacks and blackhole > offenders before they can try many username/password > pairs. > I can say that again... :-) I personally do not like passwords, because: 1. I could forget it. 2. A bad guy could treat me bad in order to get the password. So I was very happy, when I found out, that ssh protocol offers this passphrase-less, password-less RSA (today it seems to be DSA) authentication, which seems to be very secure, and which makes me uninteresting for authentication and for a bad guy (he or she only needs my hard disc, which he or she can get without hurting me). Maybe that could help in this specific security problem discussion. Furthermore I would ask, if it might be a good idea in this case to use a good-guy list instead of a bad-guy list. Ceterum censeo: Finger prints make everything worse (not just for thiefs, who have to wear gloves nowadays), because I have heard of a case, where a robber took away the ring-finger of his victim, because his victim was unable to get off the ring (published in german TV by a governmental broadcasting carrier (ZDF) in "Aktenzeichen XY ... noch nicht gelöst" (which translates to "case number XY ... not solved yet")). There has been a case near Kiel,SH,F.Rep.Germ, where the robber became a killer, because the victim refused to give 10USD, that belonged to his employer. -Arne who said the mother of all passwords loudly in the public, while one of his colleagues was talking to him on the phone __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com From owner-freebsd-security@FreeBSD.ORG Tue Nov 22 19:35:36 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4733316A41F for ; Tue, 22 Nov 2005 19:35:36 +0000 (GMT) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC22343D76 for ; Tue, 22 Nov 2005 19:35:31 +0000 (GMT) (envelope-from marquis@roble.com) Date: Tue, 22 Nov 2005 11:35:29 -0800 (PST) From: Roger Marquis To: Marian Hettwer In-Reply-To: <43836D25.5000101@kernel32.de> Message-ID: <20051122112344.U18517@roble.com> References: <20051122120112.9D83516A423@hub.freebsd.org> <20051122075050.I81101@roble.com> <43836D25.5000101@kernel32.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 19:35:36 -0000 >> 2) running an sshd IDS that A) tests for '(for invalid user|Failed >> password for)', B) blacholes source hosts 'ipfw add deny ...', and >> C) alerts sysadmin or operations personnel, >> >Be careful with adding ip addresses to deny via a packet filter. >If an attacker uses spoofed IP adresses, you may produce yourself >easily a denial of service attack. Not sure I agree with the easily part. TCP transport plus SSH protocol spoofing is not a vector that normally needs to be secured beyond what is already done in the kernel and router. That's not to say such spoofing cannot be done, just that it is rare and would require a compromised router or localnet host at a minimum. > Say I used the IP address of your default gateway. If you > don't check that and just add a deny rule... well... bad luck ;-) I would hope that your router doesn't accept packets with its own source address. But this does bring up a good point i.e, that no IDS should be operated without a well thought-out whitelist. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Tue Nov 22 19:48:57 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99FCF16A41F for ; Tue, 22 Nov 2005 19:48:57 +0000 (GMT) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from mail23.sea5.speakeasy.net (mail23.sea5.speakeasy.net [69.17.117.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FE1B43D60 for ; Tue, 22 Nov 2005 19:48:53 +0000 (GMT) (envelope-from freebsd-security-local@be-well.ilk.org) Received: (qmail 6734 invoked from network); 22 Nov 2005 19:48:47 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail23.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 22 Nov 2005 19:48:47 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id 7096D2841B; Tue, 22 Nov 2005 14:48:46 -0500 (EST) Sender: lowell@be-well.ilk.org To: freebsd-security@freebsd.org References: <20051122120112.9D83516A423@hub.freebsd.org> <20051122075050.I81101@roble.com> <43836D25.5000101@kernel32.de> <20051122112344.U18517@roble.com> From: Lowell Gilbert Date: 22 Nov 2005 14:48:46 -0500 In-Reply-To: <20051122112344.U18517@roble.com> Message-ID: <44br0cqx9d.fsf@be-well.ilk.org> Lines: 14 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 19:48:57 -0000 > >Be careful with adding ip addresses to deny via a packet filter. > >If an attacker uses spoofed IP adresses, you may produce yourself > >easily a denial of service attack. > > Not sure I agree with the easily part. TCP transport plus SSH > protocol spoofing is not a vector that normally needs to be secured > beyond what is already done in the kernel and router. That's not to > say such spoofing cannot be done, just that it is rare and would > require a compromised router or localnet host at a minimum. Except that it doesn't require spoofed addresses. One attacker from the local university's computer center (or from a large shell service ISP) could lock out all of the other users on that machine. Trivially. From owner-freebsd-security@FreeBSD.ORG Tue Nov 22 23:30:25 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8042416A43E for ; Tue, 22 Nov 2005 23:30:25 +0000 (GMT) (envelope-from tirlaadi@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2067743DA1 for ; Tue, 22 Nov 2005 23:30:06 +0000 (GMT) (envelope-from tirlaadi@gmail.com) Received: by wproxy.gmail.com with SMTP id i5so1168156wra for ; Tue, 22 Nov 2005 15:30:06 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=WYPEh+0u5/HfZA413iJvfC7JRQr+97Sk3UOggYtzmVyYnWVqtsfI85wBHef+4cinxF1QyPINwe9Mh9oj9nWvEJ7B8STEodHX9oDO90L1lpJw/mdeWh4iq9yvkHr1TwdCk4WCmJuFdF5sn4XgBmMh/PqlW2O8JcBR53SssNBnzJE= Received: by 10.54.78.19 with SMTP id a19mr2565788wrb; Tue, 22 Nov 2005 15:30:06 -0800 (PST) Received: by 10.54.81.19 with HTTP; Tue, 22 Nov 2005 15:30:06 -0800 (PST) Message-ID: <446399850511221530g47e13ee9p847d7673c5fa12ca@mail.gmail.com> Date: Wed, 23 Nov 2005 01:30:06 +0200 From: Adi Tirla To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw check-state issue X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 23:30:25 -0000 heya i've been using freebsd's ipfw for quite a while and recently on a new server i've got this issue with ipfw that i can't understand ... something is wrong ... 01000 8042 1947866 allow ip from any to any via fxp0 01010 0 0 allow ip from any to any via lo0 01014 9886 4170269 divert 8668 ip from any to any in via vr0 01015 0 0 check-state 01130 14679 5695969 skipto 1800 ip from any to any out via vr0 keep-state 01300 0 0 deny ip from 192.168.0.0/16 to any in via vr0 01301 0 0 deny ip from 172.16.0.0/12 to any in via vr0 01302 4 140 deny ip from 10.0.0.0/8 to any in via vr0 01303 0 0 deny ip from 127.0.0.0/8 to any in via vr0 01304 0 0 deny ip from 0.0.0.0/8 to any in via vr0 01305 0 0 deny ip from 169.254.0.0/16 to any in via vr0 01306 0 0 deny ip from 192.0.2.0/24 to any in via vr0 01307 0 0 deny ip from 204.152.64.0/23 to any in via vr0 01308 0 0 deny ip from 224.0.0.0/3 to any in via vr0 01320 0 0 deny tcp from any to any dst-port 137 in via vr0 01321 0 0 deny tcp from any to any dst-port 138 in via vr0 01322 4 192 deny tcp from any to any dst-port 139 in via vr0 01323 3 144 deny tcp from any to any dst-port 81 in via vr0 01330 0 0 deny ip from any to any frag in via vr0 01350 362 71038 deny tcp from any to any established in via vr0 01400 2879 346276 deny log logamount 10 ip from any to any in via vr0 01450 0 0 deny log logamount 10 ip from any to any out via vr0 01800 8049 1944267 divert 8668 ip from any to any out via vr0 01801 14676 5695755 allow ip from any to any 01999 0 0 deny log logamount 10 ip from any to any 65535 758 727615 deny ip from any to any please enlighten me why the "almost" standard firewall from the handbook ..= . ain't working properly .... !? look ... the check-state ain't matching any packets ... and mostly ... packets skip the rule 1999 ... why?! i've seen the "kernel: oups" too many times .... don't tell me i've got a third network card cause it ain't so! another thing ... if i insert pipes for traffic shaping ... the outgoing packets are inserted into the input pipes ... but not into the outgoing pipes .... why ? i am missing somethin' .... what ? kernel compiled with these additional options .... options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=3D10 options IPFIREWALL_FORWARD options DUMMYNET options HZ=3D1000 options IPDIVERT enlightment please .... thanks ... bye bye From owner-freebsd-security@FreeBSD.ORG Tue Nov 22 23:52:04 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BCBD16A420 for ; Tue, 22 Nov 2005 23:52:04 +0000 (GMT) (envelope-from piechota@argolis.org) Received: from gigatrex.com (saraswati.gigatrex.com [64.5.48.159]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4506243D8B for ; Tue, 22 Nov 2005 23:51:21 +0000 (GMT) (envelope-from piechota@argolis.org) Received: (qmail 26598 invoked from network); 22 Nov 2005 23:50:51 -0000 Received: from unknown (HELO webmail.gigatrex.com) (127.0.0.1) by localhost with SMTP; 22 Nov 2005 23:50:51 -0000 Received: from proxy3a.external.lmco.com ([192.35.35.34]) (SquirrelMail authenticated user piechota@argolis.org) by webmail.gigatrex.com with HTTP; Tue, 22 Nov 2005 18:50:51 -0500 (EST) Message-ID: <47111.192.35.35.34.1132703451.squirrel@webmail.gigatrex.com> In-Reply-To: <20051122191230.9866.qmail@web30305.mail.mud.yahoo.com> References: <20051122075050.I81101@roble.com> <20051122191230.9866.qmail@web30305.mail.mud.yahoo.com> Date: Tue, 22 Nov 2005 18:50:51 -0500 (EST) From: "Matt Piechota" To: Arne =?iso-8859-1?Q?W=F6rner?= User-Agent: SquirrelMail/1.4.5 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-XheaderVersion: 1.1 X-UserAgent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7) Gecko/20050816 Cc: freebsd-security@freebsd.org, Roger Marquis Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Nov 2005 23:52:04 -0000 On Tue, November 22, 2005 2:12 pm, Arne Wörner wrote: > Ceterum censeo: Finger prints make everything worse (not just for > thiefs, who have to wear gloves nowadays), because I have heard of > a case, where a robber took away the ring-finger of his victim, > because his victim was unable to get off the ring (published in > german TV by a governmental broadcasting carrier (ZDF) in > "Aktenzeichen XY ... noch nicht gelöst" (which translates to "case > number XY ... not solved yet")). There has been a case near > Kiel,SH,F.Rep.Germ, where the robber became a killer, because the > victim refused to give 10USD, that belonged to his employer. Or, to start your car: http://www.theregister.co.uk/2005/04/04/fingerprint_merc_chop/ http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm Plus, as soon as breaks the key encrypting your fingerprint, they can re-use it. And it's not like you can change your fingerprints after they're comprimised. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Wed Nov 23 18:15:50 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42E0D16A421 for ; Wed, 23 Nov 2005 18:15:50 +0000 (GMT) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from mail28.sea5.speakeasy.net (mail28.sea5.speakeasy.net [69.17.117.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCD3443D66 for ; Wed, 23 Nov 2005 18:15:37 +0000 (GMT) (envelope-from freebsd-security-local@be-well.ilk.org) Received: (qmail 19320 invoked from network); 23 Nov 2005 18:15:30 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail28.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 23 Nov 2005 18:15:30 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id E0F6D2841D; Wed, 23 Nov 2005 13:15:29 -0500 (EST) Sender: lowell@be-well.ilk.org To: Adi Tirla References: <446399850511221530g47e13ee9p847d7673c5fa12ca@mail.gmail.com> From: Lowell Gilbert Date: 23 Nov 2005 13:15:29 -0500 In-Reply-To: <446399850511221530g47e13ee9p847d7673c5fa12ca@mail.gmail.com> Message-ID: <4464qj5iym.fsf@be-well.ilk.org> Lines: 67 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-security@freebsd.org Subject: Re: ipfw check-state issue X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2005 18:15:50 -0000 Adi Tirla writes: > heya > > i've been using freebsd's ipfw for quite a while and recently on a new > server i've got this issue with ipfw that i can't understand ... something > is wrong ... > > 01000 8042 1947866 allow ip from any to any via fxp0 > 01010 0 0 allow ip from any to any via lo0 > 01014 9886 4170269 divert 8668 ip from any to any in via vr0 > 01015 0 0 check-state > 01130 14679 5695969 skipto 1800 ip from any to any out via vr0 keep-state > 01300 0 0 deny ip from 192.168.0.0/16 to any in via > vr0 > 01301 0 0 deny ip from 172.16.0.0/12 to any in via > vr0 > 01302 4 140 deny ip from 10.0.0.0/8 to any in via vr0 > 01303 0 0 deny ip from 127.0.0.0/8 to any in via vr0 > 01304 0 0 deny ip from 0.0.0.0/8 to any in via vr0 > 01305 0 0 deny ip from 169.254.0.0/16 to any in via > vr0 > 01306 0 0 deny ip from 192.0.2.0/24 to any in via vr0 > 01307 0 0 deny ip from 204.152.64.0/23 to any in > via vr0 > 01308 0 0 deny ip from 224.0.0.0/3 to any in via vr0 > 01320 0 0 deny tcp from any to any dst-port 137 in via vr0 > 01321 0 0 deny tcp from any to any dst-port 138 in via vr0 > 01322 4 192 deny tcp from any to any dst-port 139 in via vr0 > 01323 3 144 deny tcp from any to any dst-port 81 in via vr0 > 01330 0 0 deny ip from any to any frag in via vr0 > 01350 362 71038 deny tcp from any to any established in via vr0 > 01400 2879 346276 deny log logamount 10 ip from any to any in via vr0 > 01450 0 0 deny log logamount 10 ip from any to any out via vr0 > 01800 8049 1944267 divert 8668 ip from any to any out via vr0 > 01801 14676 5695755 allow ip from any to any > 01999 0 0 deny log logamount 10 ip from any to any > 65535 758 727615 deny ip from any to any > > > please enlighten me why the "almost" standard firewall from the handbook ... > ain't working properly .... !? look ... the check-state ain't matching any > packets ... and mostly ... packets skip the rule 1999 ... why?! i've seen > the "kernel: oups" too many times .... don't tell me i've got a third > network card cause it ain't so! > > another thing ... if i insert pipes for traffic shaping ... the outgoing > packets are inserted into the input pipes ... but not into the outgoing > pipes .... why ? > > i am missing somethin' .... what ? > > > kernel compiled with these additional options .... > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=10 > options IPFIREWALL_FORWARD > options DUMMYNET > options HZ=1000 > options IPDIVERT > enlightment please .... Any firewall where a packet may get passed to the same divert pipe multiple times isn't *close* to "almost standard." Try actually using the standard one, as your modifications don't make a lot of sense. Nor do I understand those URLs in the RFC1918 rules... From owner-freebsd-security@FreeBSD.ORG Wed Nov 23 23:09:57 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2EDB916A420 for ; Wed, 23 Nov 2005 23:09:57 +0000 (GMT) (envelope-from fullermd@over-yonder.net) Received: from mail.localelinks.com (web.localelinks.com [65.170.254.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0571F43D94 for ; Wed, 23 Nov 2005 23:09:42 +0000 (GMT) (envelope-from fullermd@over-yonder.net) Received: from draco.over-yonder.net (adsl-222-77-232.jan.bellsouth.net [68.222.77.232]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.localelinks.com (Postfix) with ESMTP id 08C4D9D for ; Wed, 23 Nov 2005 17:09:39 -0600 (CST) Received: by draco.over-yonder.net (Postfix, from userid 100) id 12DFC61C1A; Wed, 23 Nov 2005 17:09:38 -0600 (CST) Date: Wed, 23 Nov 2005 17:09:38 -0600 From: "Matthew D. Fuller" To: freebsd-security@freebsd.org Message-ID: <20051123230937.GD60824@over-yonder.net> References: <446399850511221530g47e13ee9p847d7673c5fa12ca@mail.gmail.com> <4464qj5iym.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4464qj5iym.fsf@be-well.ilk.org> X-Editor: vi X-OS: FreeBSD User-Agent: Mutt/1.5.11-fullermd.2 Cc: Adi Tirla Subject: Re: ipfw check-state issue X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2005 23:09:57 -0000 On Wed, Nov 23, 2005 at 01:15:29PM -0500 I heard the voice of Lowell Gilbert, and lo! it spake thus: > > Nor do I understand those URLs in the RFC1918 rules... That, AFAIK, is gmail being "helpful". -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ On the Internet, nobody can hear you scream. From owner-freebsd-security@FreeBSD.ORG Wed Nov 23 23:17:01 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16E0516A420 for ; Wed, 23 Nov 2005 23:17:01 +0000 (GMT) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBD2A43D6B for ; Wed, 23 Nov 2005 23:16:58 +0000 (GMT) (envelope-from marquis@roble.com) Date: Wed, 23 Nov 2005 15:16:58 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20051123120058.DAA3C16A484@hub.freebsd.org> Message-ID: <20051123150509.P90242@roble.com> References: <20051123120058.DAA3C16A484@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Re: Need urgent help regarding security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2005 23:17:01 -0000 Lowell Gilbert wrote: >> Not sure I agree with the easily part.. TCP transport plus SSH >> protocol spoofing is not a vector that normally needs to be secured >> beyond what is already done in the kernel and router. That's not to >> say such spoofing cannot be done, just that it is rare and would >> require a compromised router or localnet host at a minimum. > > Except that it doesn't require spoofed addresses. One attacker from the > local university's computer center (or from a large shell service ISP) > could lock out all of the other users on that machine. Trivially. And that's exactly what you want. The alternative is to let the dictionary attack continue unabated. At least once the blackhole is up, and notices sent, the target host's admins can contact the attacking host's admins to shutdown the account or process running the scan. If nobody is monitoring the IDS alerts that's a different problem. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Fri Nov 25 19:24:25 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAB8716A41F for ; Fri, 25 Nov 2005 19:24:25 +0000 (GMT) (envelope-from sem@FreeBSD.org) Received: from core.inec.ru (core.inec.ru [213.148.3.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3441D43D4C for ; Fri, 25 Nov 2005 19:24:25 +0000 (GMT) (envelope-from sem@FreeBSD.org) Received: from [213.85.81.137] (helo=[192.168.0.4]) by core.inec.ru with esmtp (Exim 4.51 (FreeBSD)) id 1EfjA2-0001V6-Uh for freebsd-security@freebsd.org; Fri, 25 Nov 2005 22:23:07 +0300 Message-ID: <438764DB.8000106@FreeBSD.org> Date: Fri, 25 Nov 2005 22:24:11 +0300 From: Sergey Matveychuk User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051113) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Subject: ports/89483 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Nov 2005 19:24:26 -0000 I think it's not a bad idea to have CAcetr root certificates in the port. It should be done by somebody with security hat. -- Sem. From owner-freebsd-security@FreeBSD.ORG Sat Nov 26 22:45:35 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8395416A41F for ; Sat, 26 Nov 2005 22:45:35 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from mail05.syd.optusnet.com.au (mail05.syd.optusnet.com.au [211.29.132.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8C8B43D5C for ; Sat, 26 Nov 2005 22:45:32 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236]) by mail05.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id jAQMjUSk029858 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Sun, 27 Nov 2005 09:45:31 +1100 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1]) by cirb503493.alcatel.com.au (8.12.10/8.12.10) with ESMTP id jAQMjUHh029142 for ; Sun, 27 Nov 2005 09:45:30 +1100 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost) by cirb503493.alcatel.com.au (8.12.10/8.12.9/Submit) id jAQMjUGR029141 for freebsd-security@freebsd.org; Sun, 27 Nov 2005 09:45:30 +1100 (EST) (envelope-from pjeremy) Date: Sun, 27 Nov 2005 09:45:30 +1100 From: Peter Jeremy To: freebsd-security@freebsd.org Message-ID: <20051126224530.GD27757@cirb503493.alcatel.com.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lCAWRPmW1mITcIfM" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc Subject: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2005 22:45:35 -0000 --lCAWRPmW1mITcIfM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable or "How do I know my copy of FreeBSD is the same as yours?" I have recently been meditating on the issue of validating X.509 root certificates. An obvious extension to that is validating FreeBSD itself. Under "The Cutting Edge", the handbook lists 3 methods of synchronising your personal copy of FreeBSD with the Project's copy: Anonymous CVS, CTM and CVSup. There are two CTM modes (e-mail and FTP) and you can also download or buy ISOs. Of these six options, only CTM via e-mail has a digital signature, though the ISO checksums can be compared against the signed release announcements. Physical ISOs are a tricky subject - by trusting the content, I am implicitly trusting the vendor (Walnut Creek, Wind River in the past and (eg) FreeBSD Mall now). The FreeBSD project appears to have three official keys: 1) FreeBSD Security Officer (0xCA6CDFB2) 2) Core Team Secretary (0xFF8AE305) 3) CTM e-mail (0xC380B4D8) Of these, only the Security Officer's key has a wide assortment of signatures - providing a reasonably likelihood that an arbitrary person will be able to integrate it into their PGP web-of-trust. The Core Team secretary's key is only signed by four people other than the current secretary - this is somewhat marginal. The CTM key has only a single signature. This is manifestly inadequate. At the very least, the key should be signed by the person who is running the CTM service. The FreeBSD release announcements are currently signed personally by the Release Engineer. IMHO, there should be a FreeBSD Release Engineering key that is used for these announcements. I have also been unable to locate any published information regarding the protection of or access to the private keys for the above. Finally, FreeBSD is dependent on the protection of its DNS entries. Many years ago, I asked about the DNS servers and got a response that I found acceptable. Based on a recent check, I suspect that things have changed - it looks like ns0.freebsd.org is now part of Yahoo. Overall, I believe FreeBSD could be improved by: - Formulating and promulgating a policy for the protection and use of FreeBSD Project DNS, keys and certificates. (The public version of the policy does not go into explicit details but should allow an independent observer to verify its adequacy). - Creating a FreeBSD Release Engineering key which is used to sign official e-mails from the release engineering team - in particular -RELEASE announcements. - Tying all the FreeBSD Project keys together by cross-signing them all. - Arranging for a wider range of signatures on FreeBSD Project keys (the SO key's already meets this). - Investigate obtaining a X.509 certificate for the FreeBSD Project - Signing ISO images with a Project key and/or certificate in addition to providing MD5 checksums. - Investigate providing authenticated protocols for updating FreeBSD. --=20 Peter Jeremy --lCAWRPmW1mITcIfM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDiOWJ/opHv/APuIcRAn9rAKCw59VKo1RbWwzjTc8XYq9rK7I8vQCfTBaG HhPsaAi6/nALm+brUw/9Lyo= =YP4A -----END PGP SIGNATURE----- --lCAWRPmW1mITcIfM--