From owner-freebsd-questions Tue Jan 2 22: 8:47 2001 From owner-freebsd-questions@FreeBSD.ORG Tue Jan 2 22:08:42 2001 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from smtppop1pub.verizon.net (smtppop1pub.gte.net [206.46.170.20]) by hub.freebsd.org (Postfix) with ESMTP id C3F8D37B400 for ; Tue, 2 Jan 2001 22:08:41 -0800 (PST) Received: from next (crtntx1-ar3-098-023.dsl.gtei.net [4.33.98.23]) by smtppop1pub.verizon.net with SMTP ; id AAA45455376 Wed, 3 Jan 2001 00:03:00 -0600 (CST) Message-ID: <003b01c0754b$aa4d17f0$17622104@next> From: "Jason Halbert" To: "David Kelly" Cc: References: <200101030333.f033Xup03770@grumpy.dyndns.org> Subject: Re: Security Problem Date: Wed, 3 Jan 2001 06:08:59 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG The evidence suggests "David Kelly" wrote: > "Jason Halbert" writes: > > Is there a way to block an enitre host (e.g. *.gtei.net) or a block of > > ip's (e.g. 4.33.*) ? Or is there a way to say that only a certain > > domain or block of ip's can access my system? > > See ipfw(8). And the examples in /etc/rc.firewall. You can block an > address, or range of addresses. But you can't block by symbolic domain > name. > > > Also, is there a way to block the use of "adduser" or "vipw" or even > > looking at /etc/master.passwd without being the specific user "root". > > Where as you must be root and not "su" or any other user to see and/or > > use those commands. > > > > I hope that makes sense. > > Sort of. Read the man page for su, specifically the difference between > the -m and -l versions. FreeBSD defaults with a shell alias for su of > "su -m". If a user is able to su to root, then that user is able to do > a full login to root where both user-id and effective-user-id are root. > > If you are having problems as you seem to be suggesting, then its likely > you have been root-kit'ed and nothing on your machine can be trusted. > Am saying its not just the su utility which is a problem. Its time for > a backup, wipe, and re-install from known clean media such as the WC > distribution CDROM. Then audit every thing which goes back on the system > from the backup tape. Don't restore anything root would use, use only > new clean copies. > > Later you can compare the old and new files to determine the extent of > the problem. > > Tripwire (/usr/ports/security/tripwire*) and mtree (/usr/sbin/mtree) are > helpful in such situations, but only if applied before the event, not > after. Is it possible to chmod certain directories such as /etc and /usr/sbin so that no one but root may read, write and execute and not cause any problems? If a person doesn't have permission to the dir then afaics they shouldn't be albe to mess with anything. *slightly paranoid now* I plan to re-install from ftp. --- Jason jason@jason-n3xt.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message