From owner-freebsd-security@freebsd.org Tue Feb 11 23:31:42 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 41ADD246976 for ; Tue, 11 Feb 2020 23:31:42 +0000 (UTC) (envelope-from ndorf@rtfm.net) Received: from iad1-shared-relay1.dreamhost.com (iad1-shared-relay1.dreamhost.com [208.113.157.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48HJvK0zyfz4nv4; Tue, 11 Feb 2020 23:31:40 +0000 (UTC) (envelope-from ndorf@rtfm.net) Received: from cloudburst.dreamhost.com (cloudburst.dreamhost.com [66.33.212.129]) by iad1-shared-relay1.dreamhost.com (Postfix) with ESMTP id 3C318B40081; Tue, 11 Feb 2020 15:31:34 -0800 (PST) Received: by cloudburst.dreamhost.com (Postfix, from userid 10401829) id 0669211EF; Tue, 11 Feb 2020 15:31:34 -0800 (PST) Date: Tue, 11 Feb 2020 23:31:32 +0000 From: Nathan Dorfman To: Glen Barber Cc: freebsd-security@freebsd.org Subject: Re: Cryptographic signatures of installer sets Message-ID: <20200211233132.GA7@rtfm.net> References: <20200125200007.GA11@rtfm.net> <20200127164201.GB9584@FreeBSD.org> <20200130005006.GA13@e398a4ce8009> <20200130132239.GG9584@FreeBSD.org> <20200201233420.GA18@rtfm.net> <20200203135710.GK9584@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200203135710.GK9584@FreeBSD.org> X-Rspamd-Queue-Id: 48HJvK0zyfz4nv4 X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of ndorf@rtfm.net designates 208.113.157.50 as permitted sender) smtp.mailfrom=ndorf@rtfm.net X-Spamd-Result: default: False [2.85 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:208.113.157.50]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[rtfm.net]; NEURAL_SPAM_MEDIUM(0.12)[0.120,0]; IP_SCORE(2.07)[ip: (9.01), ipnet: 208.113.128.0/17(0.49), asn: 26347(0.88), country: US(-0.05)]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.97)[0.966,0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:26347, ipnet:208.113.128.0/17, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2020 23:31:42 -0000 Sorry for my delayed response. On Mon, Feb 03, 2020 at 01:57:10PM +0000, Glen Barber wrote: > First, if one installs from a snapshot, the MANIFEST file would only be > valid until the next snapshot build. > > The second and third problems are somewhat related: the various > distribution sets (base.txz, lib32.txz, etc.) are not updated with each > patch release. (I have been pondering the "right way(tm)" to do this > for some time, but that is more or less orthogonal to the real problem > at hand here.) The other issue is freebsd-update(8) does not work with > snapshot builds (from stable/X or head). Oops. I hadn't realized freebsd-update, with the -r option, couldn't be used to upgrade to the next snapshot. Since that is the case, it seems fine to support -RELEASEs only. > But for X.Y-RELEASE, one could use 'bsdinstall jail' to create the jail, > then invoke freebsd-update(8) with the '-b' flag to the jail location. Right, and this is no different than the current situation. > The patch I have at the moment looks for the MANIFEST (rather, the > --) file in the location they are > installed by the misc/freebsd-release-manifests package. This seems reasonable, but I think the checksum script is also used by the system installer (not just the jail setup script). Have you considered the possibility of simply publishing a detached signature with every MANIFEST, in a similar manner to what is done for the installer images? Those use PGP, requiring the gnupg package to verify, but OpenSSL could also be used. -nd. From owner-freebsd-security@freebsd.org Wed Feb 12 15:22:24 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 88CB523A61B for ; Wed, 12 Feb 2020 15:22:24 +0000 (UTC) (envelope-from gjb@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48Hk0J39Rpz4W79; Wed, 12 Feb 2020 15:22:24 +0000 (UTC) (envelope-from gjb@freebsd.org) Received: from FreeBSD.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by freefall.freebsd.org (Postfix) with ESMTPS id 0E03B11DC7; Wed, 12 Feb 2020 15:22:24 +0000 (UTC) (envelope-from gjb@freebsd.org) Date: Wed, 12 Feb 2020 15:22:21 +0000 From: Glen Barber To: Nathan Dorfman Cc: freebsd-security@freebsd.org Subject: Re: Cryptographic signatures of installer sets Message-ID: <20200212152221.GE9584@FreeBSD.org> References: <20200125200007.GA11@rtfm.net> <20200127164201.GB9584@FreeBSD.org> <20200130005006.GA13@e398a4ce8009> <20200130132239.GG9584@FreeBSD.org> <20200201233420.GA18@rtfm.net> <20200203135710.GK9584@FreeBSD.org> <20200211233132.GA7@rtfm.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="lMoHOBn3xgW8/zmj" Content-Disposition: inline In-Reply-To: <20200211233132.GA7@rtfm.net> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2020 15:22:24 -0000 --lMoHOBn3xgW8/zmj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 11, 2020 at 11:31:32PM +0000, Nathan Dorfman wrote: > > The patch I have at the moment looks for the MANIFEST (rather, the > > --) file in the location they are > > installed by the misc/freebsd-release-manifests package. >=20 > This seems reasonable, but I think the checksum script is also used by > the system installer (not just the jail setup script). >=20 No, they are two different sets of functionality. The system installer *always* uses the MANIFEST from the installation medium, but when fixing that, I did not notice the jail subcommand, nor that it fetches a remote MANIFEST file. > Have you considered the possibility of simply publishing a detached > signature with every MANIFEST, in a similar manner to what is done for > the installer images? >=20 I have not, as a change to the misc/freebsd-release-manifests port will generate an email (or at minimum, a change in the repository), which would be a red flag for nefarious behavior. Glen --lMoHOBn3xgW8/zmj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEjRJAPC5sqwhs9k2jAxRYpUeP4pMFAl5EGCgACgkQAxRYpUeP 4pOlNBAAjvIackfZoFS5AtxHOnbherpNzQ92rAPXzzlz0tOagg1e4PjXz8R0ug4J egAerB2EAmfhuyTQ0ssZeECinzJuL26OUn56B0RoKw2tw/2Oo7zRZDybR7DQ6RYS mDlq6M0XZgB4Y106Ao5N9zkrpqWXLJTM0TlAuk3Qj/usi10XjC+phTP7fwi2IZdO 7eB43EQkmZwqZnPuYvoDxHtac5NYLFFU7MGnbu98Umes+uNSNWmAlzWFQXPbPQja UuQ0o4OAekqHO+RoWJDbwXhmAPE3bgX0LQOYjHFdRRjcXbZAKEkA5n87666LxXC0 XSmdPaoRSCMhrfm+F9RG4Wy4RVCKf5+tkuFTKbXE4ELUWIuXI2orN8BbshG7UYMY DElVlmyZPKNhpHbpFGFGy55ICyWrd57Ji1q4Xx0v3b1xlcm7Xmt/OXOMalxrRqxn nNMAdhxjza3tIgQF04FOs5QPgdFd23OGHDZQJiQ4Q/Iz2d9y84pqYKzfotmi2ZNP aqpUX8ajk/X8hg4E/4bHpZKaWz/wa1Kb6ppccj841DViCe6TrEJlNVA5ra5bDp0i ZXn+sIINeK3CuTZJAMW5ASNofeVI9a9iLO/MSRxvkoO4ZXivaE7YKBGgWPMpJTaT /9j7j1/hZS++dMgbwLsJLg8LVTXtu+uRcb2QCHlovikV6hREpRQ= =8nBS -----END PGP SIGNATURE----- --lMoHOBn3xgW8/zmj-- From owner-freebsd-security@freebsd.org Fri Feb 14 18:18:59 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 29C0E23CE8A; Fri, 14 Feb 2020 18:18:59 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f174.google.com (mail-il1-f174.google.com [209.85.166.174]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48K1q621Zcz3ymp; Fri, 14 Feb 2020 18:18:58 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-il1-f174.google.com with SMTP id p8so8815788iln.12; Fri, 14 Feb 2020 10:18:57 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=caftv8YZq4KJlQP1WZpg7zNvGJkcK2860SPvC+GX8sQ=; b=LIbW5VgRvxEcHy5Hd9MtX1ta1dPxOYYDgYOfVRzCmm2omm9Opa42V7IgOjRcYFduGP hpWhi0Mrn+VaNbEx0lSzpmRUp6fipc4vb5Jix2OytCRxOEjewLyufHwXxG3Fmi0pfBlz /3M/OMBx0wXpt8ZqcMxSVQeO5tkVG2hbq1OFa7yHWX/WQQFsxbQA0sFhxtZo57W/cANt LMdwUdmrWjXyJBpARW6kUBpeZ5f4dvhtwDP23wbZjqTUl2pfmdbUsJQ2uc1g9zBaS0Yy Yi/SS3E2TniT/ms5ldna+gUZP+s+Ikuust1XbtYemxw/hiRDAxLvI23eaXrAl96LKf70 L6zQ== X-Gm-Message-State: APjAAAV1FeWzm/4srBOIupE3bkAuJghvdZUgAY8JoitTOkdEA5VGAkqk p+nC74oxcaH4GFirzVzPjqRKdEs0bJcz1RZoWE9fLUbV X-Google-Smtp-Source: APXvYqw1IfaM4tJerrxbLN1bl/GfCINu99lgHFg52e6lAkoTLV/xZetp0hHlccjVNdOK3EIYBdZnEryPWECrCaVgViU= X-Received: by 2002:a92:4448:: with SMTP id a8mr4231526ilm.256.1581704336500; Fri, 14 Feb 2020 10:18:56 -0800 (PST) MIME-Version: 1.0 From: Ed Maste Date: Fri, 14 Feb 2020 13:18:44 -0500 Message-ID: Subject: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd To: FreeBSD Current , freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 48K1q621Zcz3ymp X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.174 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-4.43 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(-2.43)[ip: (-7.42), ipnet: 209.85.128.0/17(-3.00), asn: 15169(-1.68), country: US(-0.05)]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[174.166.85.209.list.dnswl.org : 127.0.5.0]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[174.166.85.209.rep.mailspike.net : 127.0.0.17]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2020 18:18:59 -0000 Upstream OpenSSH-portable removed libwrap support in version 6.7, released in October 2014. We've maintained a patch in our tree to restore it, but it causes friction on each OpenSSH update and may introduce security vulnerabilities not present upstream. It's (past) time to remove it. Although the specific deprecation steps aren't yet fleshed out I'm sending this as an early notice that I plan to disable libwrap support from the base system sshd and that FreeBSD 13 will not support it. We'll probably keep the patch in the tree for some time, to support MFCs to stable branches; the patch will be removed entirely later on. From owner-freebsd-security@freebsd.org Fri Feb 14 20:27:17 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 41AC22414B3; Fri, 14 Feb 2020 20:27:17 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from marsh.redfishnetworks.com (www.redfishnetworks.com [45.56.101.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48K4g8242Vz4Cp7; Fri, 14 Feb 2020 20:27:15 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from deborah.localnet (ip68-11-51-163.no.no.cox.net [68.11.51.163]) by marsh.redfishnetworks.com (Postfix) with ESMTPSA id E9C77273141; Fri, 14 Feb 2020 15:27:08 -0500 (EST) From: Joey Kelly To: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd Date: Fri, 14 Feb 2020 14:27:08 -0600 Message-ID: <4627295.A1yGqSNMk2@deborah> User-Agent: KMail/4.14.10 (Linux/4.4.202; KDE/4.14.38; x86_64; ; ) In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Rspamd-Queue-Id: 48K4g8242Vz4Cp7 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of joey@joeykelly.net designates 45.56.101.157 as permitted sender) smtp.mailfrom=joey@joeykelly.net X-Spamd-Result: default: False [-1.55 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[163.51.11.68.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[joeykelly.net]; NEURAL_HAM_LONG(-1.00)[-0.998,0]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_MEDIUM(-0.99)[-0.988,0]; IP_SCORE(-0.27)[asn: 63949(-1.29), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; CTE_CASE(0.50)[]; ASN(0.00)[asn:63949, ipnet:45.56.96.0/20, country:US]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2020 20:27:17 -0000 On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > Upstream OpenSSH-portable removed libwrap support in version 6.7, > released in October 2014. We've maintained a patch in our tree to > restore it, but it causes friction on each OpenSSH update and may > introduce security vulnerabilities not present upstream. It's (past) > time to remove it. So color me ignorant, but how does this affect things like DenyHosts? Or is there an in-application way to block dictionary attacks? I can't go back to having my servers pounded on day and night (and yes, I listed on an alternative port). -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 From owner-freebsd-security@freebsd.org Fri Feb 14 20:34:21 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 15E0B241836 for ; Fri, 14 Feb 2020 20:34:21 +0000 (UTC) (envelope-from pioto@pioto.org) Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48K4qH43RRz4DFl for ; Fri, 14 Feb 2020 20:34:19 +0000 (UTC) (envelope-from pioto@pioto.org) Received: by mail-lj1-x229.google.com with SMTP id r19so12124482ljg.3 for ; Fri, 14 Feb 2020 12:34:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pioto-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ODxGWYQOC9CVvq34ZBXEi3cu4o9e4tpk6UUrYMXIZqk=; b=m1mZW04h0lIVt6+T14nyvfdd6eP8RPZyP6yFgammMhDXXJux4eiguJ9xIEC0rsatHA pYEb3IN56e5RBzhwwMMbopIk2CocoV23tVnxN7UY59x2xqvT5Rg1xq9CdsEWfUu5P3wV he+mDEcMBE9VxE2VvAFrQieK/DcUXplplc3SgpMnHt5WP6IqhrLjak6Bu/hZqPiQUu5k I3w9FlXrx3YZkaDc2X0ooBNp1dgiKAd9+2hinp6e3sEq43jSwfD4NMLxG+XmpbQ7/Lnc FbytpmJjDJL/nWU6tRc1ZWqmMKqNPVS9n3TZ4hPi+9JuS5uz8DWsCmMZDlqZVJkHYPnB lcqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ODxGWYQOC9CVvq34ZBXEi3cu4o9e4tpk6UUrYMXIZqk=; b=LlXL7YJtOfH0lqY5ePJi5EFiZTXf6opA32N6YQKKL46unSt3ws3m5+fN0Amm8jdq8n zOANQZurtkhwp8I24dp6thd10TX/j1CIy+GDJGd4fV+fuELJmwzHlVVCiqxRYHqQ90TL /uUwXQKxF7e5pHbRPKs3EoknI5lOUDVIRMgzNdwScr9ZxybEmt5kEucxpYGPwq8IP2gp w2emRvWOOxR1Map2G8dZGRbVaGJTzWBy7kPu3gzT58L+an7z6qbZJlX+J/2I9UxXYJcf w/gQMo2G1v6qJHkU4QpSfUHJ9kdtnjQ3GMEuQMmigTaepFXnDkgcQkdKp8h/Z5iSp+Q6 hUNQ== X-Gm-Message-State: APjAAAXWHlVkfoP/3KDR2NoyRAYTMzpVnKOid3p7vuXgTeZlzAwU04Ty IoJN736P+0RTm+O5bgGbeNY7X0suh+lSm8lBEfgcVoE= X-Google-Smtp-Source: APXvYqwTxiQgBRhmkQvopu1SpQPxqRLXMw7/SJ/NZDNPFuqWH/r/HW4muTZ+bocDHdP/7uvqv9URzg9KHAFIYwAPDjs= X-Received: by 2002:a05:651c:32b:: with SMTP id b11mr3104482ljp.203.1581712457611; Fri, 14 Feb 2020 12:34:17 -0800 (PST) MIME-Version: 1.0 References: <4627295.A1yGqSNMk2@deborah> In-Reply-To: <4627295.A1yGqSNMk2@deborah> From: Mike Kelly Date: Fri, 14 Feb 2020 15:34:03 -0500 Message-ID: Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd To: Joey Kelly Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org X-Rspamd-Queue-Id: 48K4qH43RRz4DFl X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=pioto-org.20150623.gappssmtp.com header.s=20150623 header.b=m1mZW04h; dmarc=none; spf=pass (mx1.freebsd.org: domain of pioto@pioto.org designates 2a00:1450:4864:20::229 as permitted sender) smtp.mailfrom=pioto@pioto.org X-Spamd-Result: default: False [-5.18 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[pioto-org.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[pioto.org]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[pioto-org.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[9.2.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-2.68)[ip: (-9.22), ipnet: 2a00:1450::/32(-2.42), asn: 15169(-1.68), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2020 20:34:21 -0000 security/py-fail2ban in ports is a good alternative. Can be combined with pf and the like to have a similar effect. On Fri, Feb 14, 2020, 3:27 PM Joey Kelly wrote: > On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > > Upstream OpenSSH-portable removed libwrap support in version 6.7, > > released in October 2014. We've maintained a patch in our tree to > > restore it, but it causes friction on each OpenSSH update and may > > introduce security vulnerabilities not present upstream. It's (past) > > time to remove it. > > > So color me ignorant, but how does this affect things like DenyHosts? Or > is > there an in-application way to block dictionary attacks? I can't go back > to > having my servers pounded on day and night (and yes, I listed on an > alternative port). > > -- > Joey Kelly > Minister of the Gospel and Linux Consultant > http://joeykelly.net > 504-239-6550 > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@freebsd.org Fri Feb 14 21:17:06 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EC0F9242A5D; Fri, 14 Feb 2020 21:17:06 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io1-f44.google.com (mail-io1-f44.google.com [209.85.166.44]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48K5mf0xlZz4GSQ; Fri, 14 Feb 2020 21:17:05 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-io1-f44.google.com with SMTP id d15so12087905iog.3; Fri, 14 Feb 2020 13:17:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LIgHvxWRrB8nBZMw10/zgFBdFbG8qMkqfzdH42D062Q=; b=mTHcy5Kv7NdZedcO5uFa758WpX8otC+C9pE7OWqkUVSq2HJygsY4iGjatjoZfi9ymj fHHVuUR6DKcKq+DELJJ+awsjsLLt3URZQotNtiTfuvYdAgDWEyEqIoLNCgaxffcMWMyp 9PPNA78vsNZHHnC8tdfgsSWxyXviWD9bfuXFIa3s/v4aEJQ751f834s8vCz7pJCb8Yux +acSp4JR8kUvInFUphXCuwRwR0lVtvZm7MGyXoqJqralkKGS5iYohLYIanXupLZqzxTG U3dN52P49n/FVzGcqt6aTxtEOQB7PA35OP4X1adMHRoIG0+hvUeE7zN6AJzICQ6skT11 lFow== X-Gm-Message-State: APjAAAVjyKAHTsqq3HAA+WsdeSNB1uLqsFz+O0N9oi0/ndsP0dZxvujy 71H0VU8/SRE6JSyxMOWC7HUnMPXLJqClrhE6UNePKzUb X-Google-Smtp-Source: APXvYqzmCYgCi4RmRFK70jUHmdLLxt/vlW/mM4JJs6jnKRd1chzRFoUMLPPHXoUTseTGP3KaP2BSO8Ym5qYQydy6f24= X-Received: by 2002:a05:6638:72c:: with SMTP id j12mr4251629jad.136.1581715024904; Fri, 14 Feb 2020 13:17:04 -0800 (PST) MIME-Version: 1.0 References: <4627295.A1yGqSNMk2@deborah> In-Reply-To: <4627295.A1yGqSNMk2@deborah> From: Ed Maste Date: Fri, 14 Feb 2020 16:16:53 -0500 Message-ID: Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd To: Joey Kelly Cc: freebsd-security@freebsd.org, FreeBSD Current Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 48K5mf0xlZz4GSQ X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.44 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com X-Spamd-Result: default: False [-3.55 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[44.166.85.209.list.dnswl.org : 127.0.5.0]; IP_SCORE(-1.55)[ip: (-3.01), ipnet: 209.85.128.0/17(-3.00), asn: 15169(-1.68), country: US(-0.05)]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[44.166.85.209.rep.mailspike.net : 127.0.0.17]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2020 21:17:07 -0000 On Fri, 14 Feb 2020 at 15:27, Joey Kelly wrote: > > On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > > Upstream OpenSSH-portable removed libwrap support in version 6.7, > > released in October 2014. We've maintained a patch in our tree to > > restore it, but it causes friction on each OpenSSH update and may > > introduce security vulnerabilities not present upstream. It's (past) > > time to remove it. > > So color me ignorant, but how does this affect things like DenyHosts? It's independent of denyhosts, fail2ban, blacklistd and similar. TCP wrappers is configured using /etc/hosts.allow and /etc/hosts.deny. From owner-freebsd-security@freebsd.org Fri Feb 14 23:20:02 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A96F42461AB for ; Fri, 14 Feb 2020 23:20:02 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from marsh.redfishnetworks.com (www.redfishnetworks.com [45.56.101.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48K8VT1y9gz4Qkk for ; Fri, 14 Feb 2020 23:20:00 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from deborah.localnet (ip68-11-51-163.no.no.cox.net [68.11.51.163]) by marsh.redfishnetworks.com (Postfix) with ESMTPSA id 5480C2733BE for ; Fri, 14 Feb 2020 18:19:59 -0500 (EST) From: Joey Kelly To: freebsd-security@freebsd.org Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd Date: Fri, 14 Feb 2020 17:19:58 -0600 Message-ID: <1997012.9LfIMBbbVL@deborah> User-Agent: KMail/4.14.10 (Linux/4.4.202; KDE/4.14.38; x86_64; ; ) In-Reply-To: References: <4627295.A1yGqSNMk2@deborah> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Rspamd-Queue-Id: 48K8VT1y9gz4Qkk X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of joey@joeykelly.net designates 45.56.101.157 as permitted sender) smtp.mailfrom=joey@joeykelly.net X-Spamd-Result: default: False [-1.56 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; NEURAL_HAM_MEDIUM(-1.00)[-0.995,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[joeykelly.net]; IP_SCORE(-0.27)[asn: 63949(-1.29), country: US(-0.05)]; RECEIVED_SPAMHAUS_PBL(0.00)[163.51.11.68.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; R_DKIM_NA(0.00)[]; CTE_CASE(0.50)[]; ASN(0.00)[asn:63949, ipnet:45.56.96.0/20, country:US]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2020 23:20:02 -0000 On Friday, February 14, 2020 04:16:53 PM Ed Maste wrote: > On Fri, 14 Feb 2020 at 15:27, Joey Kelly wrote: > > On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > > > Upstream OpenSSH-portable removed libwrap support in version 6.7, > > > released in October 2014. We've maintained a patch in our tree to > > > restore it, but it causes friction on each OpenSSH update and may > > > introduce security vulnerabilities not present upstream. It's (past) > > > time to remove it. > > > > So color me ignorant, but how does this affect things like DenyHosts? > > It's independent of denyhosts, fail2ban, blacklistd and similar. TCP > wrappers is configured using /etc/hosts.allow and /etc/hosts.deny. root@marsh:~ # tail -3 /etc/hosts.allow # for denyhosts sshd : /etc/hosts.deniedssh : deny sshd : ALL : allow -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 From owner-freebsd-security@freebsd.org Fri Feb 14 23:37:32 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D4A942468DB; Fri, 14 Feb 2020 23:37:32 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-ua1-x943.google.com (mail-ua1-x943.google.com [IPv6:2607:f8b0:4864:20::943]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48K8tg4bL8z4Rkx; Fri, 14 Feb 2020 23:37:31 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by mail-ua1-x943.google.com with SMTP id p2so4188770uao.9; Fri, 14 Feb 2020 15:37:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iwvqnj2KiAwcb43Q8lFpFC8guji71ILUFgeQ+QF9z0w=; b=XUrKwQouVmZ5FsDcWrHjW8w7cJ76HVlUJeyPzbVHykQDGxPl/L192yCflBzmsf2ykx LBrjutxd45mo2f8hlfYStB9Thfpe9kQJT8k420R1x5vAGY9kGM6Z9u2GlPYfkximwTk5 rapfn/q4hnBMHMCM+VnUJtAwhC/mtyTKs+HqE2SGkYRkPX6z4fclxDilCmG90TGhnMKf YDxynX51TyxChq4gL9wEK3/JPdy7g58Y1kn7ezi3jnaib3MCEsViD1cYdfeg9pdofEB5 DG8ffKRkhbQpUJGLDgSLfuWUeZuFY/plrBir9AtwOw+LRPcpH2hYHqoPXkuUmf5Z51Lu Os4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iwvqnj2KiAwcb43Q8lFpFC8guji71ILUFgeQ+QF9z0w=; b=NVMoEki4NeG7BymNunCE3TFRe7AaiZgXjPdd0YLw34nJ7dCInQsaEFXiC3ncnmPI1k X5aFKjjBQsJiQ8WqEGx31Z8kHOKSeeBhT5Lcir82xy4WqNteUGi0H8PQQDn4HUPDK+fR 2wSBo0RYQob8ePYms8bYZ8yRMPnXmAKOxdueJT5jc3sW8wlsMytrSawyyxB0636wqELT Eifhb3YMRvsSXtqDMm3jQzRwY573I7PYH8HNGHCeSwUpIgfMAejyLrEbRj3nhAo86RR9 FzVaUHUfIDVJMg6bpsJrCZ1S4OGnnNFQlz7n6qz9pRxRWdZ1t4cIJMpAov++KD/0LNnn R/4Q== X-Gm-Message-State: APjAAAVl/BDL4hyD2MWBrpM2SVTWkxJ6xfblT6HOOfkdnw2gDb9vNFj3 BfGrvehi1cbsf8qR9cQx/CkQrvdRplgOhreFF97HhA== X-Google-Smtp-Source: APXvYqzImKzCkMwJD2vuD1+0hAD4C8Ro+JA/h+WNbVusFGNSqI1So90DXBROhc0ap15Wjg2UhbNq1vVhYmVcDMQ1/3s= X-Received: by 2002:ab0:658d:: with SMTP id v13mr2786433uam.71.1581723450490; Fri, 14 Feb 2020 15:37:30 -0800 (PST) MIME-Version: 1.0 References: <4627295.A1yGqSNMk2@deborah> In-Reply-To: <4627295.A1yGqSNMk2@deborah> From: Ben Woods Date: Sat, 15 Feb 2020 07:37:19 +0800 Message-ID: Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd To: Joey Kelly Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org X-Rspamd-Queue-Id: 48K8tg4bL8z4Rkx X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=XUrKwQou; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of woodsb02@gmail.com designates 2607:f8b0:4864:20::943 as permitted sender) smtp.mailfrom=woodsb02@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; IP_SCORE(0.00)[ip: (2.51), ipnet: 2607:f8b0::/32(-1.90), asn: 15169(-1.68), country: US(-0.05)]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_DN_SOME(0.00)[]; URI_COUNT_ODD(1.00)[3]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[3.4.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2020 23:37:32 -0000 On Sat, 15 Feb 2020 at 4:27 am, Joey Kelly wrote: > On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > > Upstream OpenSSH-portable removed libwrap support in version 6.7, > > released in October 2014. We've maintained a patch in our tree to > > restore it, but it causes friction on each OpenSSH update and may > > introduce security vulnerabilities not present upstream. It's (past) > > time to remove it. > > > So color me ignorant, but how does this affect things like DenyHosts? Or > is > there an in-application way to block dictionary attacks? I can't go back > to > having my servers pounded on day and night (and yes, I listed on an > alternative port). DenyHosts can be configured to use PF firewall tables directly, rather than using TCP wrappers: https://github.com/denyhosts/denyhosts/blob/master/denyhosts.conf#L261 ####################################################################### # # On FreeBSD/OpenBSD/TrueOS/PC-BSD/NetBSD/OS X we may want to block incoming # traffic using the PF firewall instead of the hosts.deny file # (aka tcp_wrapper). # The admin can set up a PF table that is persistent # and DenyHost can add new addresses to be blocked to that table. # The TrueOS operating system enables this by default, blocking # all addresses in the "blacklist" table. # # To have DenyHost update the blocking PF table in real time, uncomment # these next two options. Make sure the table name specificed # is one created in the pf.conf file of your operating system. # The PFCTL_PATH variable must point to the pfctl extectuable on your OS. # PFCTL_PATH = /sbin/pfctl # PF_TABLE = blacklist # Note, a good rule to have in your pf.conf file to enable the # blacklist table is: # # table persist file "/etc/blacklist" # block in quick from to any # # Warning: If you are using PF, please make sure to disable the # IPTABLES rule above as these two packet filters should not be # run together on the same operating system. # Note: Even if you decide to run DenyHost with PF filtering # only and no hosts.deny support, please still create an empty # file called /etc/hosts.deny for backward compatibility. # Also, please make sure PF is enabled prior to launching # DenyHosts. To do this run "pfctl -e". # # To write all blocked hosts to a PF table file enable this next option. # This will make hosts added to the PF table persistent across reboots. # PF_TABLE_FILE = /etc/blacklist # ####################################################################### Regards, Ben > -- -- From: Benjamin Woods woodsb02@gmail.com From owner-freebsd-security@freebsd.org Sat Feb 15 03:05:04 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4E48924C3C4; Sat, 15 Feb 2020 03:05:04 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48KFV73cl6z4fHw; Sat, 15 Feb 2020 03:05:03 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 317857F6EB; Fri, 14 Feb 2020 19:04:56 -0800 (PST) Date: Fri, 14 Feb 2020 19:04:56 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd In-Reply-To: Message-ID: References: <4627295.A1yGqSNMk2@deborah> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 48KFV73cl6z4fHw X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of marquis@roble.com has no SPF policy when checking 209.237.23.5) smtp.mailfrom=marquis@roble.com X-Spamd-Result: default: False [0.40 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.02)[-0.023,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.47)[-0.466,0]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[roble.com]; AUTH_NA(1.00)[]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(-0.01)[country: US(-0.05)] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Feb 2020 03:05:04 -0000 In the interest of good logging it may be better to filter ssh attempts with libwrap than with packet filtering. The difference being that libwrap logging, particularly when used with fail2ban, tends to be more readable and parseable. Not having libwrap in sshd is most simply and easily worked around, IMO, by running it from inetd. While less experienced sysadmins may not be familiar with inetd, and some others believe it impacts session setup time, 99.99% of sshd implementations will not see any difference between sshd linked with libwrap vs unlinked and run under inetd. Performance might be an issue is when dozens or hundreds of sessions are received per minute but then those sites are likely to already have load balancing. FreeBSD's inetd also has more instance and rate-limiting options than libwrap or packet filtering. I wouldn't be surprised if this was part of the reason why it is no longer bundled. Roger Marquis > Upstream OpenSSH-portable removed libwrap support in version 6.7, > released in October 2014. We've maintained a patch in our tree to > restore it, but it causes friction on each OpenSSH update and may > introduce security vulnerabilities not present upstream. It's (past) > time to remove it. > >> So color me ignorant, but how does this affect things like DenyHosts? Or >> is there an in-application way to block dictionary attacks? I can't go back >> to having my servers pounded on day and night (and yes, I listed on an >> alternative port). From owner-freebsd-security@freebsd.org Fri Feb 14 23:59:09 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 06933247396; Fri, 14 Feb 2020 23:59:09 +0000 (UTC) (envelope-from imb@protected-networks.net) Received: from mail.protected-networks.net (mail.protected-networks.net [IPv6:2001:470:8d59:1::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.protected-networks.net", Issuer "Protected Networks CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48K9Mb0cjkz4SmC; Fri, 14 Feb 2020 23:59:06 +0000 (UTC) (envelope-from imb@protected-networks.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d= protected-networks.net; h=content-language:content-type :content-type:in-reply-to:mime-version:user-agent:date:date :message-id:from:from:references:subject:subject; s=201508; t= 1581724739; bh=kcYuZ3kds2MbJai38NOHPokoVuRhCeGsMaz2q8q5+Mo=; b=i 3BexYYL9c4DT0Y4NWvqokCAyX0ySnIWKYuvKKHHbd5JOzhpULoe2RqWQNg1W7BJh snVfbSejE1ukdfynazgkSq25Ut8nn+iAOuFVwK/JfMlXv1yqaJ2Nr4ctTidsSEUB OgRkY91TI3HwWFZ4HSqNWwdPTu21fHUG4mrb3y4H3E= Received: from toshi.auburn.protected-networks.net (toshi.auburn.protected-networks.net [192.168.1.10]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: imb@mail.protected-networks.net) by mail.protected-networks.net (Postfix) with ESMTPSA id A2914CBBC; Fri, 14 Feb 2020 18:58:59 -0500 (EST) Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd To: Ben Woods Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org References: <4627295.A1yGqSNMk2@deborah> From: Michael Butler Message-ID: <618e2a2b-4d27-8860-7061-77bdf9e3967a@protected-networks.net> Date: Fri, 14 Feb 2020 18:58:59 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-NZ X-Rspamd-Queue-Id: 48K9Mb0cjkz4SmC X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=protected-networks.net header.s=201508 header.b=i 3BexYY; dmarc=none; spf=pass (mx1.freebsd.org: domain of imb@protected-networks.net designates 2001:470:8d59:1::8 as permitted sender) smtp.mailfrom=imb@protected-networks.net X-Spamd-Result: default: False [-5.05 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[protected-networks.net:s=201508]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_NA(0.00)[protected-networks.net]; TO_DN_SOME(0.00)[]; URI_COUNT_ODD(1.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[protected-networks.net:+]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-3.55)[ip: (-9.45), ipnet: 2001:470::/32(-4.65), asn: 6939(-3.58), country: US(-0.05)]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Mailman-Approved-At: Sat, 15 Feb 2020 07:26:33 +0000 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2020 23:59:09 -0000 On 2/14/20 6:37 PM, Ben Woods wrote: > On Sat, 15 Feb 2020 at 4:27 am, Joey Kelly wrote: > >> On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: >>> Upstream OpenSSH-portable removed libwrap support in version 6.7, >>> released in October 2014. We've maintained a patch in our tree to >>> restore it, but it causes friction on each OpenSSH update and may >>> introduce security vulnerabilities not present upstream. It's (past) >>> time to remove it. >> >> So color me ignorant, but how does this affect things like DenyHosts? Or >> is >> there an in-application way to block dictionary attacks? I can't go back >> to >> having my servers pounded on day and night (and yes, I listed on an >> alternative port). > > > DenyHosts can be configured to use PF firewall tables directly, rather than > using TCP wrappers: > https://github.com/denyhosts/denyhosts/blob/master/denyhosts.conf#L261 > Requiring the addition of a firewall where there was none before is a significant and potentially error-prone change. I am not about to add this degree of complexity to every machine which only has a single port exposed via NAT. To maintain equivalent functionality, the port version (security/openssh-portable) has the requisite patch as an option or, perhaps better, the base SSHD can be run from INETD and, consequently, TCP-wrapped as it was before,     imb From owner-freebsd-security@freebsd.org Sat Feb 15 10:03:31 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E3D12255408; Sat, 15 Feb 2020 10:03:31 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:13b:39f::9f:25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 48KQmz5lGkz43RS; Sat, 15 Feb 2020 10:03:31 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 8A7FF8D4A156; Sat, 15 Feb 2020 10:03:24 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 5D980E707CB; Sat, 15 Feb 2020 10:03:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id M049vHU-Gc5o; Sat, 15 Feb 2020 10:03:23 +0000 (UTC) Received: from [169.254.231.217] (unknown [IPv6:fde9:577b:c1a9:4902:2948:8696:a28b:d1bb]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 07BA2E707AD; Sat, 15 Feb 2020 10:03:22 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Ed Maste" Cc: "FreeBSD Current" , freebsd-security@freebsd.org Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd Date: Sat, 15 Feb 2020 10:03:21 +0000 X-Mailer: MailMate (2.0BETAr6146) Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 48KQmz5lGkz43RS X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-6.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Feb 2020 10:03:32 -0000 On 14 Feb 2020, at 18:18, Ed Maste wrote: Hi Ed, > Although the specific deprecation steps aren't yet fleshed out I'm > sending this as an early notice that I plan to disable libwrap support > from the base system sshd and that FreeBSD 13 will not support it. I’ll be sad to run inetd again on systems so that I can run a wrapped sshd. Like others I feel that adding firewalls to a machine simply to filter sshd is not an option and whatever else openssh itself has offered in the past never sufficed. I am also worried that the change will make a lot of machines unprotected upon updating to 13 if there is no big red warning flag before the install. I do understand the burden of maintaining a local patch (we lost the HA patches from base this way already). Given the port already does maintain the patch I am wondering what “security guarantees” we provide for the port compared to the base system (ignoring possible security updates) or why the patch cannot be included in base? Compared to the HA patch, this one seems to be sillily small.. /bz From owner-freebsd-security@freebsd.org Sat Feb 15 19:27:05 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 37DF624609E for ; Sat, 15 Feb 2020 19:27:05 +0000 (UTC) (envelope-from ndorf@rtfm.net) Received: from iad1-shared-relay1.dreamhost.com (iad1-shared-relay1.dreamhost.com [208.113.157.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48KgHC2777z4fpR; Sat, 15 Feb 2020 19:27:03 +0000 (UTC) (envelope-from ndorf@rtfm.net) Received: from cloudburst.dreamhost.com (cloudburst.dreamhost.com [66.33.212.129]) by iad1-shared-relay1.dreamhost.com (Postfix) with ESMTP id 0A800B40086; Sat, 15 Feb 2020 11:26:56 -0800 (PST) Received: by cloudburst.dreamhost.com (Postfix, from userid 10401829) id DAF14ECA; Sat, 15 Feb 2020 11:26:55 -0800 (PST) Date: Sat, 15 Feb 2020 19:26:54 +0000 From: Nathan Dorfman To: Glen Barber Cc: freebsd-security@freebsd.org Subject: Re: Cryptographic signatures of installer sets Message-ID: <20200215192654.GA8@rtfm.net> References: <20200125200007.GA11@rtfm.net> <20200127164201.GB9584@FreeBSD.org> <20200130005006.GA13@e398a4ce8009> <20200130132239.GG9584@FreeBSD.org> <20200201233420.GA18@rtfm.net> <20200203135710.GK9584@FreeBSD.org> <20200211233132.GA7@rtfm.net> <20200212152221.GE9584@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200212152221.GE9584@FreeBSD.org> X-Rspamd-Queue-Id: 48KgHC2777z4fpR X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of ndorf@rtfm.net designates 208.113.157.50 as permitted sender) smtp.mailfrom=ndorf@rtfm.net X-Spamd-Result: default: False [3.17 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:208.113.157.50]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[rtfm.net]; NEURAL_SPAM_MEDIUM(0.64)[0.641,0]; IP_SCORE(1.91)[ip: (8.79), ipnet: 208.113.128.0/17(-0.08), asn: 26347(0.88), country: US(-0.05)]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.92)[0.925,0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:26347, ipnet:208.113.128.0/17, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Feb 2020 19:27:05 -0000 On Wed, Feb 12, 2020 at 03:22:21PM +0000, Glen Barber wrote: > > Have you considered the possibility of simply publishing a detached > > signature with every MANIFEST, in a similar manner to what is done for > > the installer images? > > > > I have not, as a change to the misc/freebsd-release-manifests port will > generate an email (or at minimum, a change in the repository), which > would be a red flag for nefarious behavior. Gotcha. So it sounds like your solution is the best path forward. Looking forward to seeing your patch! -nd.