From owner-freebsd-security Tue Dec 10 19:04:41 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id TAA01908 for security-outgoing; Tue, 10 Dec 1996 19:04:41 -0800 (PST) Received: from ican.net (ican.net [198.133.36.9]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id TAA01897 for ; Tue, 10 Dec 1996 19:04:38 -0800 (PST) Received: from gate.ican.net(really [198.133.36.2]) by ican.net via sendmail with esmtp id for ; Tue, 10 Dec 1996 22:04:37 -0500 (EST) (Smail-3.2 1996-Jul-4 #1 built 1996-Jul-10) Received: (from smap@localhost) by gate.ican.net (8.7.5/8.7.3) id WAA24696 for ; Tue, 10 Dec 1996 22:01:17 -0500 (EST) Received: from nap.io.org(10.1.1.3) by gate.ican.net via smap (V1.3) id sma024694; Tue Dec 10 22:01:06 1996 Received: from localhost (taob@localhost) by nap.io.org (8.7.5/8.7.3) with SMTP id VAA10722 for ; Tue, 10 Dec 1996 21:58:09 -0500 (EST) X-Authentication-Warning: nap.io.org: taob owned process doing -bs Date: Tue, 10 Dec 1996 21:58:09 -0500 (EST) From: Brian Tao To: FREEBSD-SECURITY-L Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) In-Reply-To: <9612101452.AA21942@halloran-eldar.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk What are people's feelings on enabling devices like bpf or snp in the kernel on a public server? Obviously, had I not compiled bpf into the shell and Web server kernels, this particular incident would never have happened. However, I like to have access to tcpdump to check for things like ping floods, and trafshow to see where bytes are being sent. I know this depends entirely on your local setup, and every site has different policies, but I'd like to hear if anyone has strong feelings about "enabled" kernels or proposed solutions (i.e., an option to make bpf work only for processes run on the console). -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"