From owner-freebsd-security Tue Dec 10 22:56:17 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id WAA22370 for security-outgoing; Tue, 10 Dec 1996 22:56:17 -0800 (PST) Received: from redmare.com (brian@lin-pm2-011.inetnebr.com [206.222.209.11]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id WAA22360 for ; Tue, 10 Dec 1996 22:56:13 -0800 (PST) Received: from localhost (brian@localhost) by redmare.com (8.7.4/8.7.3) with SMTP id AAA00267; Wed, 11 Dec 1996 00:51:46 -0600 (CST) X-Authentication-Warning: redmare.com: brian owned process doing -bs Date: Wed, 11 Dec 1996 00:51:45 -0600 (CST) From: Brian Mitchell X-Sender: brian@redmare.com To: Brian Tao cc: FREEBSD-SECURITY-L Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 10 Dec 1996, Brian Tao wrote: > What are people's feelings on enabling devices like bpf or snp > in the kernel on a public server? Obviously, had I not compiled bpf > into the shell and Web server kernels, this particular incident would > never have happened. However, I like to have access to tcpdump to > check for things like ping floods, and trafshow to see where bytes are > being sent. If you disable it, remember to take lkm out with it. > > I know this depends entirely on your local setup, and every site > has different policies, but I'd like to hear if anyone has strong > feelings about "enabled" kernels or proposed solutions (i.e., an > option to make bpf work only for processes run on the console). all machines clearly dont need bpf, maybe a single machine (admin machine) with it enabled to monitor the network, but the public machines should probably have it disabled. Brian Mitchell / brian@saturn.net