Date: Fri, 4 Sep 1998 11:13:13 -0500 (CDT) From: Guy Helmer <ghelmer@scl.ameslab.gov> To: Raymond Hunter <raymond@acc-uk.com> Cc: "'Adam Maloney'" <adam@iexposure.com>, freebsd-questions@FreeBSD.ORG Subject: RE: bpfilter Message-ID: <Pine.SGI.3.96.980904110103.24575C-100000@demios.scl.ameslab.gov> In-Reply-To: <000a01bdd819$a7aa9bc0$be85f0d4@vanilla.acc-uk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 4 Sep 1998, Raymond Hunter wrote: > >Hello, > > > >I have a FreeBSD machine setup as a secondary DNS and sendmail fallback for > >my network. I'd also like to use the machine as a network monitor. I > >downloaded a package (trafshow-2.0) which requires the berkely packet > filter > >to be enabled. > > > >In the FreeBSD handbook, there's a paragraph that talks about the bpfilter > >and how it can be a security risk to your network. What are the security > >risks of running bpfilter, and how should I set it up? > > Thr security risks relate to people who have root access on your box. People > with such access can use sniffer programs to listen for plain text passwords > etc. POP3 would thus be affected. If you and other admins are the only > people with root, there is no security risk. Unfortunately, there may be ways for normal users to gain root privileges via exploits against setuid programs or privileged daemons (although I don't know of any exploits to which 3.0-current or 2.2-stable systems are vulnerable). If you are concerned about this possibility, and if untrustworthy users are allowed on a system that has the bpfilter in the kernel, remove the setuid bits on any programs that aren't used and turn off any unused daemons that aren't needed. Be sure any remaining daemons in use don't have known security issues (such as an older version of qpopper). See Robert Watson's suidcontrol program (http://www.watson.org/fbsd-hardening/suidcontrol.html) if you want help with reviewing the setuid programs on your system. Guy Helmer Guy Helmer, Graduate Student, Iowa State University Dept. of Computer Science Research Assistant, Ames Laboratory --- ghelmer@scl.ameslab.gov Research Assistant, Dept. of Computer Science --- ghelmer@cs.iastate.edu http://www.cs.iastate.edu/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SGI.3.96.980904110103.24575C-100000>