From owner-freebsd-security Tue Aug 25 13:02:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA24435 for freebsd-security-outgoing; Tue, 25 Aug 1998 13:02:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from RWSystems.net (Commie.RWSystems.net [204.251.23.221]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA24406 for ; Tue, 25 Aug 1998 13:02:41 -0700 (PDT) (envelope-from jwyatt@rwsystr.RWSystems.net) Received: from rwsystr.RWSystems.net([204.251.23.1]) (2509 bytes) by RWSystems.net via sendmail with P:smtp/R:inet_hosts/T:smtp (sender: ) id for ; Tue, 25 Aug 1998 14:43:22 -0500 (CDT) (Smail-3.2.0.101 1997-Dec-17 #1 built 1998-Jul-31) Date: Tue, 25 Aug 1998 14:45:26 -0500 (CDT) From: James Wyatt To: Paul Hart cc: freebsd-security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Aug 1998, Paul Hart wrote: > On Fri, 21 Aug 1998, Ben wrote: > > -s Operate in secure mode. Do not listen for log message from re- > > mote machines. > This is kind of a related question, but in 2.2.7-RELEASE syslogd appears > to have been modified to bind to its UDP port even if it is run with the > -s flag. It does discard packets received on the port (but still logs a > message about it!), but should it not even bind to the port when running > in secure mode? It didn't bind to the port in previous versions, if > memory serves. I would like to know if my syslogd receives packets from misconfigs or miscreants, but was thinking about using ipfw logging for it. This (IMHO, hackish) modification seems like too much of a bending from 'average' syslogd behaviour. Also: has anyone had a daemon that allowed authentication (from somewhere not normally 'trusted' via something like s-key) and then altered ipfw's rules to trust that site/host for a while? Like the securecard stuff where you telnet to the router, respond to a challenge, and then it annoints you for a count (once!) or time for telnet or ftp connect and then doesn't trust that net/address again. A daemon could bind to a given port, wait connect, perform authentication, query what level of access, enable host access, wait for a given peroid, and disable host access. The tricky part is limiting the number of connections: ipfw doesn't seem to know connection state. If I remove the routing rules the existing connections are dead. If I limit connects and allow other TCP packets through, I am exposed to session hijacking. Oh well, I was just curious if anyone else had done it, enough jabbering... Thanks and I *really* appreciate the amount of work that's gone into ipfw. James Wyatt (jwyatt@rwsystems.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message