Re: Sharing internet connection, how?
On Tuesday 24 January 2006 18:19, cblasius pondered: Hello! I have two ethernet cards on my computer. The first is rl0 - with the adrress from my ISP xxx.xxx.xxx.xxx (DSL 1M), and the second is vr0 - with the address 192.168.1.1. I want to use my computer as gateway to internet for the other computers in my home. How I can sharing internet connection on my computer to the rest computers in my home? I hve 2 computers (my and my wife (rl0 192.168.1.2)). Could somone help me, I'm beginner? I have the following rc.conf file: defaultrouter=vvv.vvv.vvv.vvv gateway_enable=YES natd_enable=YES hostname=myhost ifconfig_rl0=inet xxx.xxx.xxx.xxx netmask 255.255.255.0 ifconfig_vr0=inet 192.168.1.1 netmask 255.255.255.0 linux_enable=YES moused_enable=YES moused_flags=-3 sshd_enable=YES usbd_enable=YES What I must to do else, because my wife could not connect to the internet? FreeBSD 6.0-RELEASE Until recently I managed a very similar setup. I think all you need is natd_interface=rl0 natd_flags=-log_ipfw_denied -log_denied The latter is just so that you can see spurious connection attempts in /var/log/security. Check man natd for more info. Also, you'll have to either statically configure your wife's PC to use 192.168.1.2 (or whatever), default gateway/route 192.168.1.1 and proper DNS. Alternatively install and configure dhcpd, or, which I like more for a simple application like that, dnsmasq. Google will tell you more :-) -- Kilian Hagemann Climate Systems Analysis Group University of Cape Town Republic of South Africa Tel(w): ++27 21 650 2748 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Haven't been hacked, just prone to man-in-the-middle attacks (WAS: I have been hacked)
Hi guys, Just to find closure on this thread, I'd like to admit that I jumped to conclusions too early and would like to share what had actually happened, after many hours wasted playing the detective :-( (glad I didn't format/reinstall though) When I used my FreeBSD gateway as an smtp server to convince myself I had been hacked, the smtp connection was somehow redirected to one of my institution's mail servers (or at least that's what gmail's mail headers are saying). Funny enough the same trick no longer works today, but then they're currently upgrading lots of stuff around here so that's a different story. Then when I used ftp to connect to my gateway and it came up with frox transparent proxy, someone had actually intercepted my connection and forged/spoofed a reply. I know that because I went to the premises of my box, unplugged everything and tried that trick again, successfully, from a separate dial-up connection. Hey, nmap even told me my box had ports open even though it wasn't even up! I've never seen anything like this before, but I've notified my ISP. Remains to be seen if they do anything about it... Anyway, long story short I'm glad I'm still secure and thanks to everyone who helped me out and gave me advice. -- Kilian Hagemann ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Have I been hacked or is nmap wrong?
On Tuesday 17 January 2006 19:27, Micheal Patterson pondered: The 1663 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 554/tcp open rtsp 1755/tcp open wms 5190/tcp open aol Kilian, what does a sockstat show you on those systems and are there any nats on either of these systems that would have a redirect_address to something behind them? sockstat -4l only shows up the processes serving the LAN (dnsmasq, samba) as well as sshd: USERCOMMAND PID FD PROTOLOCAL ADDRESS FOREIGN ADDRESS rootsmbd484 18 tcp4 192.168.133.1:445 *:* rootsmbd484 19 tcp4 192.168.133.1:139 *:* rootnmbd480 6 udp4 *:137 *:* rootnmbd480 7 udp4 *:138 *:* rootnmbd480 8 udp4 192.168.133.1:137 *:* rootnmbd480 9 udp4 192.168.133.1:138 *:* nobody dnsmasq 458 1 udp4 *:56212 *:* nobody dnsmasq 458 3 udp4 *:53 *:* nobody dnsmasq 458 4 tcp4 *:53 *:* nobody dnsmasq 458 5 udp4 *:67 *:* rootsshd432 3 tcp4 *:22 *:* rootsyslogd 311 4 udp4 *:514 *:* So nothing suspect at all here. Yes, the systems are natted(with above system LAN on 192.168.133.0/24), using ppp -nat. I have no specific redirects set up, and only a allow tcp/udp from LAN to WAN/any setup keep-state dynamic rule, but that should be unrelated. If my server is not compromised, how the heck could an http/rtsp/wms/aol redirect sneak in there without me explicitly enabling it? -- Kilian Hagemann Climate Systems Analysis Group University of Cape Town Republic of South Africa Tel(w): ++27 21 650 2748 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
I have been hacked (WAS: Have I been hacked or is nmap wrong?)
On Wednesday 18 January 2006 14:34, Ken Stevenson pondered: Is there any chance you have a router that's forwarding the ports in question to another computer? Not that I know of. The setup is quite simple: wireless ethernet(PPPoE) ethernet ISP---Modem--FreeBSD gateway---LAN FreeBSD is my router with ppp -ddial -nat and a custom ipfw script that blocks all incoming connections while allowing legitimate traffic out (with keep-state rules). Check this out: ftp my_server gives 220 Frox transparent ftp proxy. Login with [EMAIL PROTECTED]:port]] Name (...) I have never even heard of frox before, but after some googling it turns out that it's a GPL'ed transparent ftp proxy... Also, I said smtp ports were open on the machines in question, I just verified that I can send emails via BOTH these systems even though no sendmail/exim/whatever was ever installed by me and sendmail_enable=None on both. My servers have been compromised, fantastic. And that with an initial firewall'ed setup that left NO open ports (I verified that a while ago with nmap). So much for my impression that FreeBSD was secure. How could this have happened? ipfw buffer overflow? Some other unknown vulnerability? I really wanna find out how they got in (syslog offers no clues btw, I've been rootkitted after all :-( Any suggestions other than format/reinstall/tripwire? -- Kilian Hagemann Climate Systems Analysis Group University of Cape Town Republic of South Africa Tel(w): ++27 21 650 2748 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
On Wednesday 18 January 2006 16:25, Will Maier pondered: On Wed, Jan 18, 2006 at 03:56:32PM +0200, Kilian Hagemann wrote: I have never even heard of frox before, but after some googling it turns out that it's a GPL'ed transparent ftp proxy... Where's it pointing? No idea, I only went as far as trying to login anonymously using a console based ftp client. How could I find out? Also, I said smtp ports were open on the machines in question, I just verified that I can send emails via BOTH these systems even though no sendmail/exim/whatever was ever installed by me and sendmail_enable=None on both. What do you see when you connect to the SMTP ports? Are they really mail servers, or just rogue services running on 25? They are really mail servers, at least smtp for outgoing mails (don't know about incoming though). I used kmail to configure them as standard outgoing smtp mail servers and successfully sent myself two emails, one via each server. Surely a default, out of the box, unconfigured and sendmail_enable=None sendmail process wouldn't allow for something like that, never mind the fact that the firewall is supposed to block ANY access from the outside (output of ipfw show is attached) My servers have been compromised, fantastic. And that with an initial firewall'ed setup that left NO open ports (I verified that a while ago with nmap). So much for my impression that FreeBSD was secure. My condolences; what you describe, though, doesn't really suggest that /FreeBSD/ is insecure. In the vast majority of these situations (and yes, I have found myself in your shoes before), the operator (you or I) is to blame. Alright, I guest that's a fair assumption. But that's what this thread is about: What (if anything) did I do wrong? How could this have happened? ipfw buffer overflow? Some other unknown vulnerability? Ockham's razor: the simplest is also the most likely solution. You're running Samba; is there any chance that that service or your configuration of it could have opened a hole? How many people have user accounts on that box? Do you allow ChallengeResponseAuthentication on SSH? Key only? Well, I didn't worry about samba because it's firewalled to the outside(unless some Windows virus on one of the LAN machines exploited a samba hole, is that likely?). There is only one single normal user account with an uncommon name and an impossible password(16 characters randomly generated from ASCII charset). ChallengeResponseAuthentication is commented out in sshd which I guess means it uses the standard PAM authentication. It also allows password/interactive authentication in addition to public key, I always use the former. I do admit that I have set PermitRootLogin yes but my root password is 9 characters with numbers and non-alphanumeric characters, so hard to brute-force. In any case, it's important to note that the only access from the outside via ssh/rsync is firewalled in such a way that it only allows access from a single IP address which my institution assigns me statically via DHCP (see attachment). They would have had to a) find out what this one and only trusted IP address is b) spoof it successfully c) attack ssh brute force? I really wanna find out how they got in (syslog offers no clues btw, I've been rootkitted after all :-( You'll need to do a more sophisticated forensic analysis, then, to figure out what happened. Some basic questions: were you running a file integrity monitor? What did it say? Do you have logs that were remotely backed up (and, therefore, likely still accurate)? What do they say? Do you have any network monitoring that might have recorded an intrusion? What services /should/ be running on the box (I don't think this was ever actually listed -- it would be useful to know)? Do you have dumps of the traffic leaving or entering the box? Well, I thought my setup was secure enough for a very basic router/gateway/firewall for a couple of Windows machines using a sucky internet connection which is not worth stealing. So I didn't go through the effort of using a file integrity monitor, remote logging, traffic dumps or network monitors (jeez, sysadmins lives are really difficult these days :-( ) The services that should be running on the box are: LAN only: samba, dnsmasq LAN and WAN: ssh/rsync I wanted to use rsync with ssh authentication/remote shell to sync my /etc and /usr/etc to my workstation and then comparing the update with a static copy to find out if anything had changed. But before I could do that, the one server mysteriously had its ssh/rsync disabled and I didn't take a healthy copy of /etc of the other one to begin with :-( Again, this is a tough and very unfortunate position to be in -- I sympathize. It may very well not be worth the time it takes to fully investigate the source of the compromise. Real forensic analysis is outside most of our job descriptions; I know that my
Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
On Wednesday 18 January 2006 17:13, [EMAIL PROTECTED] pondered: sendmail_enable=NONE would do the same as all that other crap mentioned i find it a waste of time trying to figure out how a hacker got in just format the machine reinstall freebsd and secure the box up a bit and try updating it when vulnerabilitie are out. And this shouldnt happen again Yeah, I'll have to look into that NONE vs all NO individually because it gave me hassles from the beginning (STILL sendmail stuff in /var/log/messages after disabling with NONE), but the important thing here is outside sendmail access was firewalled (see my other post and its attachment for ipfw rules). Anyway, I guess you're right, reinstalling and beefing up security will be easier. I just thought that if they didn't get in through brute-forcing my sshd (the only vulnerability I can think of so far), and the attack came from the internet (not some worm/virus on one of the Windows machines), it's some unpublished vulnerability in some part of FreeBSD that I'm sure others would like to know about. But hey, from what you guys are telling me that seems unlikely... -- Kilian Hagemann ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Share desktop with XOrg
On Wednesday 18 January 2006 18:08, User Gandalf pondered: Is it possible to share a desktop under the XOrg server? Is there a port for this? I'm aware of the -display option of X based programs. What I need is not a remote desktop connection. I would like to share my desktop to another user so he can see what I see. Yes, the stock Xorg server doesn't though. You could use VNC, but in my experience that just opens up another X display where you login separately using kdm/gdm/xdm or whatever. I suggest you use KDE's desktop sharing (krfb, in the menu under System, part of the kdenetwork package, tested on 3.4.1). Does what you want. -- Kilian Hagemann ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Have I been hacked or is nmap wrong?
Hi there, I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the other 5.3-STABLE, both not having been updated since I installed from ISO images. They both have custom ipfw firewalls that are dropping pretty much everything that's not supposed to come in. All was fine and dandy until one day I noticed that when I nmap'ed them from the outside, the one shows The 1663 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 554/tcp open rtsp 1755/tcp open wms 5190/tcp open aol and the other the same without the http bit. When I nmap them from the only address that they allow sshrsync access from (my public IP at work), nmap says that ftp, smtp and irc(port 6668) are open. Even though I have sendmail_enable=none in my rc.conf I still get some sendmail entries in my syslog so that might explain the open smtp port, but the others are DEFINITELY NOT supposed to be open. I haven't noticed anything different on the servers themselves and neither can I detect these open ports on the machine itself (using lsof -i :1-65535 or netstat). I also haven't noticed any abnormal traffic volumes originating from them. So, have I been hacked and rootkitted? Or is nmap simply lying to me? I've been subscribed to freebsd-announce and thus seen all SA's to date, but none of them are relevant to any of my setups. -- Kilian Hagemann Climate Systems Analysis Group University of Cape Town Republic of South Africa Tel(w): ++27 21 650 2748 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
