Date: Wed, 16 Aug 2000 19:13:34 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Kris Kennaway <kris@FreeBSD.org> Cc: security@freebsd.org Subject: Re: Hilighting dangerous ports Message-ID: <Pine.BSF.4.21.0008161902300.14627-100000@achilles.silby.com> In-Reply-To: <Pine.BSF.4.21.0008161628130.28154-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 16 Aug 2000, Kris Kennaway wrote: > On Wed, 16 Aug 2000, Mike Silbersack wrote: > > > Any way this could be mailed to root as well, or incorporated into that > > day's security log? I find when I'm installing ports, I tend to zoom by > > all the messages. However, if the info was (in addition) mailed to me, > > I'd be more likely to pay attention. > > The setuid files will show up in the daily report. True. However, that doesn't mean an extra reminder would hurt. I personally don't think an extra e-mail every time I install a port with setuid files would be too annoying. > More useful than reporting startup scripts would probably be a list of > current programs which are listening on sockets (from sockstat or > whatever) - or do you think etc/rc.d changes are also worthwhile? That sounds useful, but I'd be concerned about bind or other programs which switch ports every once and a while causing false errors and falsely alarming people. And related to that, it seems feasible that once people got used to that, I could rename my remote UDP shell to bind, and have it hide, pretending to be one of those false alarms. So, I'm not sure a simple diff would suffice. You'd have to be a bit more clever for bind. Ftp servers would probably kick off alarms as well, I suppose. (I'm not trying to be harsh on the idea, I'm just worried that a false-prone report would be worse than no report at all.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0008161902300.14627-100000>