From owner-freebsd-chat Tue Jul 28 21:48:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA07798 for freebsd-chat-outgoing; Tue, 28 Jul 1998 21:48:34 -0700 (PDT) (envelope-from owner-freebsd-chat@FreeBSD.ORG) Received: from coal.sentex.ca (coal.sentex.ca [209.112.4.16]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA07776 for ; Tue, 28 Jul 1998 21:48:21 -0700 (PDT) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by coal.sentex.ca (8.8.8/8.8.7) with SMTP id AAA00858; Wed, 29 Jul 1998 00:47:43 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <3.0.5.32.19980729004535.01453880@sentex.net> X-Sender: mdtancsa@sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Wed, 29 Jul 1998 00:45:35 -0400 To: Wes Peters From: Mike Tancsa Subject: Re: QPopper exploit Cc: freebsd-chat@FreeBSD.ORG In-Reply-To: <35BEA2E3.9EFB8C9F@softweyr.com> References: <35be78f0.278958611@mail.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:19 PM 7/28/98 -0600, Wes Peters wrote: >Mike Tancsa wrote: > >> I could only guess how often more 'popular' targets get attacked. We >> are only a 6000 user ISP. Imagine how much AOL and Microsoft must >> see. > >Not very much, inside the firewall. I would imagine this is the case (i.e. not many sucessful attempts), but I was lamenting the fact that there are so many constant attempts... On our router we block all spoofing attempts, hence I have a daily log of all this and other unwanted activity. Even such lamo things as people trying to telnet in and login as root on our various boxes trying to guess at the root password!! A few postings ago on bugtraq I recall reading about some poor sole who went away on vaccation when the exploit started making its rounds. He came back only to find his entire network compromised. If the bug surfaced a week later, this would have happened to me :-( I mean, within hours of the canned script being released through a few channels, I was seeing evidence of attempted exploits in my popper logs from all over the globe. > >One quick, fast, reliable way to protect yourself is to put your >router/firewall to the outside world onto a switch port on a >smart switch; the router/firewall won't see *most* of the internal, >unicast traffic, and therefore cannot be used to snoop any of that. Or, on the inexpensive, private physical ethernet segments behind FreeBSD boxes will do the trick as well. Those smart switches are still fairly pricy compared to surplus 486s, a few ne2000s running FreeBSD, ipfw / natd. Our most critical stuff is 2 physical segments away from our users, and 3 segments from the outside world. ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel 01.519.651.3400 Network Administrator, noc@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 4.5 mQBtAzKwTS0AAAEDALi0NQZ5tWIOfvZKfyw47FFH9ESx1A6fcbaGNx5/7kEMq7W3 9TkqGc+U+HLQeUXWUs5PaZB192NlfhVRh0CRQ9qrFi63MxjABfjmqFmKw7LnQrKB FzlRp4Ia49SiLxisHQAFEbQhTWlrZSBUYW5jc2EgPG1kdGFuY3NhQHNlbnRleC5u ZXQ+iQCVAwUQMzax0pFhiHfT1VK1AQFf2QP+Mku8SvpV21diTMe6FHFqri1otKh7 PTFa8wT4dAabwv/Gs2eziZDwAoKSr4dfi0bhI2glkHbiAW6JFYV2cXMn3s6qOqMn 1XCnVApLKN6kTQCRQEj9C17+iiwdGg4IosBCWsq/FvQHxlDL/Cn+DDAMf+caqJy1 0ZydEY54Ly3UrdGJAJUCBRAzFRZMYjQTjArUYHsBAQfUBACGPBwAkyOawWnnAMbh 2DmYIehp0cnCkEM6DftuGZb2hhGfxoD+/RBGgYtmwwoEv68zPKN9OOtZZoPN/Xwi C6EshITipQinVb2ChQDoyb4es109e9GvyHQQBw7uO9x7xvIFQPUKcvhh5tZ5TvV9 r62ebg3CNwNhZHSI5hBvF+oqrA== =EjUL -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message