From owner-freebsd-security  Wed Aug 16 17:13:42 2000
Delivered-To: freebsd-security@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id D825637BBCD
	for <security@freebsd.org>; Wed, 16 Aug 2000 17:13:37 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: (qmail 14671 invoked by uid 1000); 17 Aug 2000 00:13:34 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 17 Aug 2000 00:13:34 -0000
Date: Wed, 16 Aug 2000 19:13:34 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Kris Kennaway <kris@FreeBSD.org>
Cc: security@freebsd.org
Subject: Re: Hilighting dangerous ports
In-Reply-To: <Pine.BSF.4.21.0008161628130.28154-100000@freefall.freebsd.org>
Message-ID: <Pine.BSF.4.21.0008161902300.14627-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


On Wed, 16 Aug 2000, Kris Kennaway wrote:

> On Wed, 16 Aug 2000, Mike Silbersack wrote:
> 
> > Any way this could be mailed to root as well, or incorporated into that
> > day's security log?  I find when I'm installing ports, I tend to zoom by
> > all the messages.  However, if the info was (in addition) mailed to me,
> > I'd be more likely to pay attention.
> 
> The setuid files will show up in the daily report.

True.  However, that doesn't mean an extra reminder would hurt.  I
personally don't think an extra e-mail every time I install a port with
setuid files would be too annoying.

> More useful than reporting startup scripts would probably be a list of
> current programs which are listening on sockets (from sockstat or
> whatever) - or do you think etc/rc.d changes are also worthwhile?

That sounds useful, but I'd be concerned about bind or other programs
which switch ports every once and a while causing false errors and falsely
alarming people.

And related to that, it seems feasible that once people got used to that,
I could rename my remote UDP shell to bind, and have it hide, pretending
to be one of those false alarms.

So, I'm not sure a simple diff would suffice.  You'd have to be a bit more
clever for bind.  Ftp servers would probably kick off alarms as well, I
suppose.

(I'm not trying to be harsh on the idea, I'm just worried that a
false-prone report would be worse than no report at all.)


Mike "Silby" Silbersack



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message