From owner-freebsd-security Tue Jul 24 17:33:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from chrome.jdl.com (chrome.jdl.com [209.39.144.2]) by hub.freebsd.org (Postfix) with ESMTP id 66E6637B401 for ; Tue, 24 Jul 2001 17:33:23 -0700 (PDT) (envelope-from jdl@chrome.jdl.com) Received: from chrome.jdl.com (localhost [127.0.0.1]) by chrome.jdl.com (8.9.1/8.9.1) with ESMTP id TAA07176; Tue, 24 Jul 2001 19:38:10 -0500 (CDT) (envelope-from jdl@chrome.jdl.com) Message-Id: <200107250038.TAA07176@chrome.jdl.com> To: Kris Kennaway Cc: Peter Pentchev , security@freebsd.org Subject: Re: Security Check Diffs Question In-reply-to: Your message of "Tue, 24 Jul 2001 15:47:11 PDT." <20010724154711.B36368@xor.obsecurity.org> Clarity-Index: null Threat-Level: none Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code. Net-thought: If you meet the Buddha on the net, put him in your Kill file. Date: Tue, 24 Jul 2001 19:38:10 -0500 From: Jon Loeliger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, like Kris Kennaway was saying to me just the other day: > > > ypchfn changed its inode number, and its link count. This means that > > somebody performed an unlink() (delete) on ypchfn, and then created > > a new ypchfn with the same size, timestamp, permissions and stuff, > > but still a new file - and that's where the hardlink count + inum > > tracking of /etc/security kicked in and alerted you. > > This is a signature I've seen before; chances are someone has gained > root on your machine (probably through telnetd) Excellent. So given the grim situation, this is what I want to hear. The system was compromised. My suspicion is that telnetd was the culprit, given it came on the heals of the telnet Security announcement. No, I hadn't fixed it yet. Man, there just isn't enough time in the day to do your real job _and_ plug the security holes! :-( So the machine is currently off the air. I'll rebuild it. And would that be 4.4 or 4.3? Rats. I'm also going to set up a more serious DMZ firewall. Can I ask you guys questions and hold my hand through setting it all up? I am not familiar with IPFW, but I know what it does, how it works, networking and IP details. So here's what I think I want to set up now: - External ISP ISDN wire comes out of the wall, - Hits the Ascend Pipeline-50 and comes out ethernet, - Goes into a DMZ box on one ether card, - Same DMZ box has IPFW rules allowing traffic (or not) to be forwarded to the second ether card in that box, - The second ether card plugs into the 24-port switch, - Everything else on the "inside" plugs into that same switch. For starters, do I have the basic scheme right? ( So I'm waiting on the high speed link to come up again, and eventually the Pipe-50 gets replaced with a T-1 LMC card. (Does FreeBSD have an LMC T-1 driver? Or will I have to use this old POS Linux box for that?) ) You know, this is a pain! But I appreciate your suggestions! :-) jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message