Re: OT: Security question (openssl vs openssh)
On Tue, May 03, 2011, Mark Moellering wrote: > Everyone, > I am looking into setting up a webserver to hold some very sensitive > information. I am trying to figure out which is more secure, forcing > any web connections to be done using an ssh tunnel or forcing ssl. > I have not been able to figure out if one is definitively much more > secure than another or if they are close to the same. I would have > initially thought the ssh tunnel was more secure but knowing that ssl > can use AES-256, I am now wondering if that isn't adding a complexity > for little extra security. Our solution for critical services like this is to run the service only on a private LAN segment which is available from the outside world only through an OpenVPN connection. The OpenVPN connection requires unique keys for each client which are easily revoked if a laptop is lost or stolen or on employee termination. It also isolates the web service from other external attacks via insecure PHP scripts and such. Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 If the personal freedoms guaranteed by the Constitution inhibit the government's ability to govern the people, we should look to limit those guarantees. -- President Bill Clinton, August 12, 1993 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: OT: Security question (openssl vs openssh)
On 5/3/11 10:22 AM, Mark Moellering wrote: Everyone, I am looking into setting up a webserver to hold some very sensitive information. I am trying to figure out which is more secure, forcing any web connections to be done using an ssh tunnel or forcing ssl. I have not been able to figure out if one is definitively much more secure than another or if they are close to the same. I would have initially thought the ssh tunnel was more secure but knowing that ssl can use AES-256, I am now wondering if that isn't adding a complexity for little extra security. Thanks in advance Mark Moellering I'd say that that's a really hard problem to answer definitively, but my gut reaction is that the less complex solution is less likely to involve configuration screw-ups which compromise security. Particularly if other administrators are or will be involved, that which is too clever just begs for innocent, even if clueless, changes that compromise assumptions upon which the security depends. In any case, I'd worry more about how I handle user authentication and authorization than squeezing the last little drop of warm fuzzies out of the encryption setup. To the extent that if you already have a fully trusted infrastructure in place for ssh keys, you might want to consider using ssh tunnels for that reason alone. Or, to put it another way, if your security is going to fall, it's much more likely that it's going to involve a poor configuration choice, a user that screws up big time, or a "back door" to the data, than a successful "technical" attack against TSL or SSH. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: OT: Security question (openssl vs openssh)
On Tue, May 3, 2011 at 10:22 AM, Mark Moellering wrote: > Everyone, > I am looking into setting up a webserver to hold some very sensitive > information. I am trying to figure out which is more secure, forcing any > web connections to be done using an ssh tunnel or forcing ssl. > I have not been able to figure out if one is definitively much more secure > than another or if they are close to the same. I would have initially > thought the ssh tunnel was more secure but knowing that ssl can use AES-256, > I am now wondering if that isn't adding a complexity for little extra > security. > > Thanks in advance > > Mark Moellering I don't think there is any extra security in tunneling an HTTP connection over SSH. Use authentication is a different matter, but the encryption algorithms are the same. Most web servers have an option of configuring what ciphers are allowed (same as OpenSSH, by the way), so you can easily restrict HTTPS connections to just AES-256 or any other cipher you prefer. The bigger issue will be how to prevent MITM attacks. With SSH, you have to make sure that the clients have the correct public key ahead of time or provide a way to verify the key during the first connection. With HTTPS you can get a certificate from an existing CA, which allows clients to verify the server identity without any extra work on your part. As an alternative, you can create your own CA and distribute the public key to the clients, which is pretty similar to SSH, except that it's much easier to change the server certificate later on. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
OT: Security question (openssl vs openssh)
Everyone, I am looking into setting up a webserver to hold some very sensitive information. I am trying to figure out which is more secure, forcing any web connections to be done using an ssh tunnel or forcing ssl. I have not been able to figure out if one is definitively much more secure than another or if they are close to the same. I would have initially thought the ssh tunnel was more secure but knowing that ssl can use AES-256, I am now wondering if that isn't adding a complexity for little extra security. Thanks in advance Mark Moellering ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Wine security question...
man jail Thanks Subhro On Fri, Aug 29, 2008 at 8:16 AM, Christopher Joyner <[EMAIL PROTECTED]> wrote: > Is it possible to use wine in a secure way? I had a warning about it after > installing it from the ports. So I was wondering if it's possible to limit > it to a certain area. Like a sandbox? > > > > In Love in Jesus Christ, Or Lord and Savior. > > > For God so loved the world, that he gave his only *begotten Son, that > whosoever believeth in him should not perish, but have everlasting life. > --John 3:16 > > > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Wine security question...
Is it possible to use wine in a secure way? I had a warning about it after installing it from the ports. So I was wondering if it's possible to limit it to a certain area. Like a sandbox? In Love in Jesus Christ, Or Lord and Savior. For God so loved the world, that he gave his only *begotten Son, that whosoever believeth in him should not perish, but have everlasting life. --John 3:16 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Ksh Shell script security question.
I am am puzzled how to secure this code when this shell script is being executed. ${ORACLE_HOME}/bin/sqlplus -s < Hi Dak, The reason you can see the code in ${RESTOREFILE} is because of the tee command. With `tee -a` you're actually asking to have the code installed in ${RESTOREFILE}. Now, one way to secure this is to set a restrictive umask at the start of the script. For example, setting `umask 0077` will cause your script to generate files which will only be read/write for the user who runs the script. But the files will still have you username/passwd in them. To remove the username/passwd from the files, may I suggest you change your code to include the username/passwd into the sqlplus command. Like this for example: export ORACLE_SID="your_oracle_sid" sqlplus "${USERNAME}/${PASSWORD}" -s <<-EOF | tee -a ${RESTOREFILE}. set heading off set feedback off set pagesize 500 select 'SCN_TO_USE | '||max(next_change#) from V\$LOG_HISTORY; quit EOF This will still generate a file, but the username/password won't be there. Of course, that means you need to hide your credentials in an encrypted file eslwhere on your machine. You can then setup code that will check the md5 sum of the password file and use something like OpenSSL or GPG to encrypt/decrypt the file. Have fun, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Ksh Shell script security question.( SOLVED)
On 2/15/07, Dan Nelson <[EMAIL PROTECTED]> wrote: In the last episode (Feb 15), Thomas Dickey said: > On Wed, Feb 14, 2007 at 10:57:12PM -0600, Dan Nelson wrote: > > In the last episode (Feb 14), Dak Ghatikachalam said: > > > I am am puzzled how to secure this code when this shell script is > > > being executed. > > > > > > ${ORACLE_HOME}/bin/sqlplus -s < > > EOF > > > > > > When I run this code from shell script in /tmp directory it spews > > > file called /tmp/sh03400.000 in that I have this entire code > > > visible. > > > > I bet if you check the permissions you'll find the file has mode > > 0600, which means only the user running the script can read the > > file (at least that's what a test using the pdksh port does on my > > system). ksh93 does have a problem, though: it opens a file and > > immediately unlinks it, but the file is world-readable for a short > > time. > > Doesn't it (ksh93, etc) pay attention to umask? > If it does, the script should use that feature. It does honor umask, but I think temp files should be created mode 0600 in all cases. A person may have a umask of 022 to allow normal files to be read by group members but still not want them to see here-document contents. They may not even realize that their shell is using tempfiles. Some shells use pipes (bash and ash do; zsh uses an 0600 tempfile that it immediately unlinks; Solaris sh uses an 0600 tempfile). > > Both ksh variants honor the TMPDIR variable, though, so if you create a > > ~/tmp directory, chmod it so only you can access it, then set > > TMPDIR=~/tmp , you will be secure even if you're using ksh93. > > relatively (it's not a given that people haven't opened up ~/tmp) I think if someone has gone to the trouble of creating a private ~/tmp directory, they probably know what they're doing and know the consequences of opening it up. I appreciate all your response. Thanks a lot for insight on unix fundementals The issue I had is solved by doing umask 077 at the start of the script, so what it did was it created the temporary files with read+write for owner of the file , and in my process I also create directories while RMAN backup is being run, so that umask 077 for directory gave rwx for directories while creation This problem I had is solved now, it is secure Thanks Dak -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to " [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Ksh Shell script security question.
In the last episode (Feb 15), Thomas Dickey said: > On Wed, Feb 14, 2007 at 10:57:12PM -0600, Dan Nelson wrote: > > In the last episode (Feb 14), Dak Ghatikachalam said: > > > I am am puzzled how to secure this code when this shell script is > > > being executed. > > > > > > ${ORACLE_HOME}/bin/sqlplus -s < > > EOF > > > > > > When I run this code from shell script in /tmp directory it spews > > > file called /tmp/sh03400.000 in that I have this entire code > > > visible. > > > > I bet if you check the permissions you'll find the file has mode > > 0600, which means only the user running the script can read the > > file (at least that's what a test using the pdksh port does on my > > system). ksh93 does have a problem, though: it opens a file and > > immediately unlinks it, but the file is world-readable for a short > > time. > > Doesn't it (ksh93, etc) pay attention to umask? > If it does, the script should use that feature. It does honor umask, but I think temp files should be created mode 0600 in all cases. A person may have a umask of 022 to allow normal files to be read by group members but still not want them to see here-document contents. They may not even realize that their shell is using tempfiles. Some shells use pipes (bash and ash do; zsh uses an 0600 tempfile that it immediately unlinks; Solaris sh uses an 0600 tempfile). > > Both ksh variants honor the TMPDIR variable, though, so if you create a > > ~/tmp directory, chmod it so only you can access it, then set > > TMPDIR=~/tmp , you will be secure even if you're using ksh93. > > relatively (it's not a given that people haven't opened up ~/tmp) I think if someone has gone to the trouble of creating a private ~/tmp directory, they probably know what they're doing and know the consequences of opening it up. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Ksh Shell script security question.
On Wed, Feb 14, 2007 at 10:57:12PM -0600, Dan Nelson wrote: > In the last episode (Feb 14), Dak Ghatikachalam said: > > I am am puzzled how to secure this code when this shell script is > > being executed. > > > > ${ORACLE_HOME}/bin/sqlplus -s < >connect system/ugo8990d > >set heading off > >set feedback off > >set pagesize 500 > >select 'SCN_TO_USE | '||max(next_change#) from V\$LOG_HISTORY; > >quit > > EOF > > > > When I run this code from shell script in /tmp directory it spews > > file called /tmp/sh03400.000 in that I have this entire code visible. > > I bet if you check the permissions you'll find the file has mode 0600, > which means only the user running the script can read the file (at > least that's what a test using the pdksh port does on my system). > ksh93 does have a problem, though: it opens a file and immediately > unlinks it, but the file is world-readable for a short time. Doesn't it (ksh93, etc) pay attention to umask? If it does, the script should use that feature. > > Both ksh variants honor the TMPDIR variable, though, so if you create a > ~/tmp directory, chmod it so only you can access it, then set > TMPDIR=~/tmp , you will be secure even if you're using ksh93. relatively (it's not a given that people haven't opened up ~/tmp) -- Thomas E. Dickey http://invisible-island.net ftp://invisible-island.net pgpKiemVJGeeu.pgp Description: PGP signature
Re: Ksh Shell script security question.
In the last episode (Feb 14), Dak Ghatikachalam said: > I am am puzzled how to secure this code when this shell script is > being executed. > > ${ORACLE_HOME}/bin/sqlplus -sset heading off >set feedback off >set pagesize 500 >select 'SCN_TO_USE | '||max(next_change#) from V\$LOG_HISTORY; >quit > EOF > > When I run this code from shell script in /tmp directory it spews > file called /tmp/sh03400.000 in that I have this entire code visible. I bet if you check the permissions you'll find the file has mode 0600, which means only the user running the script can read the file (at least that's what a test using the pdksh port does on my system). ksh93 does have a problem, though: it opens a file and immediately unlinks it, but the file is world-readable for a short time. Both ksh variants honor the TMPDIR variable, though, so if you create a ~/tmp directory, chmod it so only you can access it, then set TMPDIR=~/tmp , you will be secure even if you're using ksh93. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Ksh Shell script security question.
Hi Freebsd I am am puzzled how to secure this code when this shell script is being executed. ${ORACLE_HOME}/bin/sqlplus -s
Re: User Security Question?
On 1/9/07, VeeJay <[EMAIL PROTECTED]> wrote: Hello Friends Just had a debate with a collegue at office, but still lack knowledge on FreeBSD security :( I have few questions. 1. What previligies a "standard" user (NOT member of Wheel Group) has on a FreeBSD Box? 2. How can he/she damages the systems or make a breach? 3. If that particular user is willing to damage the FreeBSD box, so which "locations" OR "files" are more likely to be damaged or affected? 4. How dangerous a Standard User could be to a FreeBSD box? 5. What sort of possible methods he/she can apply to hack the system and create a breach into the system? 6. How can we check that if a system is affected by a Bad User? I would really appreciate your comments in this regard Cheers!!! -- Thanks! BR / vj -- Thanks! BR / vj ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: User Security Question?
VeeJay <[EMAIL PROTECTED]> wrote: > Just had a debate with a collegue at office, but still lack knowledge on > FreeBSD security :( For a start, I recommend you read the security(7) manual page. It should give at least rough answer to most of your questions. Another good reading is chapter 14 of the FreeBSD Handbook, titled "Security". Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. > Can the denizens of this group enlighten me about what the > advantages of Python are, versus Perl ? "python" is more likely to pass unharmed through your spelling checker than "perl". -- An unknown poster and Fredrik Lundh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
User Security Question?
Hello Friends Just had a debate with a collegue at office, but still lack knowledge on FreeBSD security :( I have few questions. 1. What previligies a "standard" user (NOT member of Wheel Group) has on a FreeBSD Box? 2. How can he/she damages the systems or make a breach? 3. If that particular user is willing to damage the FreeBSD box, so which "locations" OR "files" are more likely to be damaged or affected? 4. How dangerous a Standard User could be to a FreeBSD box? 5. What sort of possible methods he/she can apply to hack the system and create a breach into the system? 6. How can we check that if a system is affected by a Bad User? I would really appreciate your comments in this regard Cheers!!! -- Thanks! BR / vj ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IMAP-UW Security question
Jose Borquez wrote: > SECURITY REPORT: > This port has installed the following binaries which execute with > increased privileges. > /usr/local/libexec/mlock > > What can I do to minimize this security risk? Do I create an mlock user? In fact, every port that installs a suid-binary will show this warning. Creating a user won't help, mlock will run as root (that is what it's about). Just keep the port up-to-date and it's ok. Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
IMAP-UW Security question
Just recently installed IMAP-UW through ports and once the install finished I got the following security message: SECURITY REPORT: This port has installed the following binaries which execute with increased privileges. /usr/local/libexec/mlock What can I do to minimize this security risk? Do I create an mlock user? Thanks in advance, Jose ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
VLAN security question
I set up a FreeBSD box to be firewall/NAT/mailserver/etc. for a company, but that company subsequently went to a VoIP system, installed a Cisco switch, programmed the switch to route Internet traffic through the BSD box as before but also to route telephone traffic NOT through it, then set things up so that the workstations in the building are plugged into the phones (which have little hubs in them). Internet traffic is now on a VLAN, and telephone traffic is on a different VLAN. Running tcpdump on a workstation indicates that VLAN traffic can be seen there (sensible because the phones contain hubs, not switches). Tcpdump also shows that people on the Internet can send packets onto the telephone VLAN (i.e., random packets from the world can reach the phones and the workstations on that VLAN). The packets I'm seeing with tcpdump are still encapsulated. Question: Is this a security problem? For example, can a packet be crafted out there to show up non-encapsulated and on the workstation network, thus circumventing my FreeBSD firewall? Up to now, I've been assuming that this network is as secure as the phones themselves, meaning that if someone can hack a telephone and make it do things on the network, we have a problem, but otherwise we don't. That prospect also bothers me but is probably outside the scope of my question. :-) -- Doug Lee [EMAIL PROTECTED] SSB + BART Group [EMAIL PROTECTED] http://www.bartsite.com "Determine that the thing can and shall be done, and then...find the way." - Abraham Lincoln ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question - uids of 0
toor is a base system user. It is a default user. It is used for several reason and is secure as long as no one can access your console directly. On Monday 16 August 2004 09:57 am, James A. Coulter wrote: > The following appeared in my latest daily security run output: > > Checking for uids of 0: > root 0 > toor 0 > > This is the first time I've seen this message. > > I checked /etc/passwd and found this: > > root:*:0:0:Charlie &:/root:/bin/csh > toor:*:0:0:Bourne-again Superuser:/root: > > I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a > small home LAN. > > I ran ps -aux and looked for any processes owned by "toor" but didn't find > any. > > Is this something to be concerned about? > > Sorry if this is an obvious question, but I am still very much a newbie > and trying to learn what I can about security. > > Thanks for your patience, > > Jim > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question - uids of 0
On Mon, Aug 16, 2004 at 05:01:51PM +0200, Volker Kindermann wrote: > Hi James, > > > > The following appeared in my latest daily security run output: > > > > Checking for uids of 0: > > root 0 > > toor 0 > > > > This is the first time I've seen this message. > > > > I checked /etc/passwd and found this: > > > > root:*:0:0:Charlie &:/root:/bin/csh > > toor:*:0:0:Bourne-again Superuser:/root: > > > > I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a > > small home LAN. > > > > I ran ps -aux and looked for any processes owned by "toor" but didn't > > find any. > > did you install bash? Normally, the bash from ports or packages will > install the "toor" account so you don't have to change root's shell. > > If you installed bash then there's nothing to worry about this entry. > If you don't need it, just use vipw and delete it. > > -volker Thank you Volker - I did install bash several weeks ago, so the sudden appearance of the message in my daily security run caught my attention. Thanks to everyone who sent the http://www.freebsd.org/doc/faq/security.html#TOOR-ACCOUNT link. Jim ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question - uids of 0
> > The following appeared in my latest daily security run output: > > Checking for uids of 0: > root 0 > toor 0 > > This is the first time I've seen this message. > > I checked /etc/passwd and found this: > > root:*:0:0:Charlie &:/root:/bin/csh > toor:*:0:0:Bourne-again Superuser:/root: > > I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a small > home LAN. > > I ran ps -aux and looked for any processes owned by "toor" but didn't find any. > > Is this something to be concerned about? No. It is normal. It is one of the normal accounts put there in a standard install. It is essentially a root account by another name. Some things used to like to use it to own their installed stuff but avoid using root directly. I don't know if anything really does that any more. I sometimes use it as a model pw entry when in vipw for creating new accounts directly to help avoid missing a field. > > Sorry if this is an obvious question, but I am still very much a newbie > and trying to learn what I can about security. This has been brought up and answered numerous times in the past. You might try and search for information on toor account. You should be able to find something. jerry > > Thanks for your patience, > > Jim > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question - uids of 0
On Mon, Aug 16, 2004 at 09:57:37AM -0500, James A. Coulter wrote: > The following appeared in my latest daily security run output: > > Checking for uids of 0: > root 0 > toor 0 > > This is the first time I've seen this message. > > I checked /etc/passwd and found this: > > root:*:0:0:Charlie &:/root:/bin/csh > toor:*:0:0:Bourne-again Superuser:/root: > > I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a small > home LAN. > > I ran ps -aux and looked for any processes owned by "toor" but didn't find any. > > Is this something to be concerned about? > > Sorry if this is an obvious question, but I am still very much a newbie > and trying to learn what I can about security. > > Thanks for your patience, http://www.freebsd.org/doc/faq/security.html#TOOR-ACCOUNT -Radek ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question - uids of 0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James A. Coulter wrote: | The following appeared in my latest daily security run output: | | Checking for uids of 0: | root 0 | toor 0 | | This is the first time I've seen this message. | | I checked /etc/passwd and found this: | | root:*:0:0:Charlie &:/root:/bin/csh | toor:*:0:0:Bourne-again Superuser:/root: | | I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a small | home LAN. | | I ran ps -aux and looked for any processes owned by "toor" but didn't find any. | | Is this something to be concerned about? | | Sorry if this is an obvious question, but I am still very much a newbie | and trying to learn what I can about security. http://freebsd.active-venture.com/faq/security.html#TOOR-ACCOUNT - -- Siddhartha Jain (CISSP) Consulting Engineer Netmagic Solutions Pvt Ltd Bombay - 400063 Phone: +91-22-26850001 Ext.128 Fax : +91-22-26850002 http://www.netmagicsolutions.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBIM3MOGaxOP7knVwRAv1HAJ4+/67fLaZbpgR3U25vy9xGMLtelQCeKhdO iTuVWEHFhbH/n+1tXxNIYFY= =RBsX -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question - uids of 0
Hi James, > The following appeared in my latest daily security run output: > > Checking for uids of 0: > root 0 > toor 0 > > This is the first time I've seen this message. > > I checked /etc/passwd and found this: > > root:*:0:0:Charlie &:/root:/bin/csh > toor:*:0:0:Bourne-again Superuser:/root: > > I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a > small home LAN. > > I ran ps -aux and looked for any processes owned by "toor" but didn't > find any. did you install bash? Normally, the bash from ports or packages will install the "toor" account so you don't have to change root's shell. If you installed bash then there's nothing to worry about this entry. If you don't need it, just use vipw and delete it. -volker ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Security question - uids of 0
The following appeared in my latest daily security run output: Checking for uids of 0: root 0 toor 0 This is the first time I've seen this message. I checked /etc/passwd and found this: root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root: I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a small home LAN. I ran ps -aux and looked for any processes owned by "toor" but didn't find any. Is this something to be concerned about? Sorry if this is an obvious question, but I am still very much a newbie and trying to learn what I can about security. Thanks for your patience, Jim ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Security Question
For some reason this does not look right. I'm using spamassen and I keep seeing this on my console. Does anyone know if this is okay or is this a big hole in spamassen? Aug 13 09:06:14 newman kernel: spamd[57121]: info: setuid to root succeeded Aug 13 09:06:14 newman kernel: Aug 13 09:06:14 newman kernel: spamd[57121]: Still running as root: user not specified with -u, not found, or set to root. Fall back to nobody. Aug 13 09:06:14 newman kernel: Aug 13 09:07:07 newman kernel: spamd[680]: connection from localhost [127.0.0.1] at port 49431 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Newbie Security Question
Hello James: Thats just letting you know that someone from that IP Address tried to access your system using the root account and the password they provided failed to authenticate. Could've been an ssh scanner or something of that nature. Most likely script kiddies. Make sure you do not allow root to login via ssh by setting your sshd_config PermitRootLogin no. Use sudo or su - instead. or you can always use key-based authentication. Lester A. Mesa aka: mazpe - On Fri, 2004-08-06 at 08:26, James A. Coulter wrote: > I recently got my firewall up and configured (many thanks to JJB and everyone else > for their help) and have been reading the daily security message from root with a > great deal of interest. > > My question is, when I see entries like this: > > Aug 5 17:55:54 sara sshd[2099]: Failed password for root from 209.120.224.13 > +port 40515 ssh2 > Aug 5 17:55:55 sara sshd[2101]: Failed password for root from 209.120.224.13 > +port 60426 ssh2 > Aug 5 17:55:55 sara sshd[2103]: Failed password for root from 209.120.224.13 > +port 54447 ssh2 > Aug 5 17:55:59 sara sshd[2105]: Failed password for root from 209.120.224.13 > +port 44460 ssh2 > > is it safe to assume someone has been trying to hack my system? > > I did a whois search on the IP and it went to a provider in Colorado. > > I'm asking because I'm curious - thanks again for everyone's help. > > Jim C. > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Newbie Security Question
On Fri, Aug 06, 2004 at 08:26:01AM -0500, James A. Coulter wrote: > I recently got my firewall up and configured (many thanks to JJB and everyone else > for their help) and have been reading the daily security message from root with a > great deal of interest. > > My question is, when I see entries like this: > > Aug 5 17:55:54 sara sshd[2099]: Failed password for root from 209.120.224.13 > +port 40515 ssh2 > Aug 5 17:55:55 sara sshd[2101]: Failed password for root from 209.120.224.13 > +port 60426 ssh2 > Aug 5 17:55:55 sara sshd[2103]: Failed password for root from 209.120.224.13 > +port 54447 ssh2 > Aug 5 17:55:59 sara sshd[2105]: Failed password for root from 209.120.224.13 > +port 44460 ssh2 > > is it safe to assume someone has been trying to hack my system? > > Jim C. Hi Jim, Yeah, I get these all the time. I've always chalked it up to random script kiddies. Sometimes i get people trying to log in as generic usernames like admin, guest, etc. Make sure that PermitRootLogin is either set to no or commented out in /etc/ssh/sshd_config, and of course make sure you are using a good root password. Now, if you really want to work yourself up, start browsing your httpd-access logs :) -dan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Newbie Security Question
I recently got my firewall up and configured (many thanks to JJB and everyone else for their help) and have been reading the daily security message from root with a great deal of interest. My question is, when I see entries like this: Aug 5 17:55:54 sara sshd[2099]: Failed password for root from 209.120.224.13 +port 40515 ssh2 Aug 5 17:55:55 sara sshd[2101]: Failed password for root from 209.120.224.13 +port 60426 ssh2 Aug 5 17:55:55 sara sshd[2103]: Failed password for root from 209.120.224.13 +port 54447 ssh2 Aug 5 17:55:59 sara sshd[2105]: Failed password for root from 209.120.224.13 +port 44460 ssh2 is it safe to assume someone has been trying to hack my system? I did a whois search on the IP and it went to a provider in Colorado. I'm asking because I'm curious - thanks again for everyone's help. Jim C. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Updating w. sysinstall (was: Security question)
Hi Kevin! On Wed, 19 Nov 2003, Kevin McKay wrote: > So it will not just grab the latest patched binaries for 5.1? Correct. > Is it just for updating between releases and not > for keeping the current release up to date? ...also correct, just updating between releases. Greetings, Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question
"Kevin McKay" <[EMAIL PROTECTED]> writes: You normally need to run the sysinstall from the version you're updating to. You could configure your system's sysinstall to load in the later version, and it should be compatible, but I don't know the syntax for that offhand... For reference, you change the version in the options menu of sysinstall, then go to the configure menu and install packages/distributions as needed. But I echo the comments about cvsup/portupgrade - definately a better way to go. PWR. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I personally use the ports tree for installing software. To update the whole ports tree you could run cvsup -g -L 2 /usr/share/examples/cvsup/ports-supfile to get the latest ports *with* the patches for that port. You can also use cvsup to update your source (/usr/src) I also use portupgrade to update the installed ports. I have never used pkg_* because I have always felt pretty comfortable with the ports and feel no need to switch. I'm sure if openssh has some patches/fixes or whatever done to the package it will be updated so you can use it. Example. If you used the ports and gaim-8.0 came out but you only had 0.70 or whatever then all you would need to do is update your ports (like I showed u above) and do a portupgrade gaim and it would update it with the latest fixes/patches/version changes or whatever and resolve any depends. you may need. Using the ports is just a personal reference. I do recommend it though. Plesae check out this for further reading on cvsup http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html On Wed, 19 Nov 2003 23:08:06 -0800 "Kevin McKay" <[EMAIL PROTECTED]> wrote: > Thanks Bryan, > > Two other questions, if I do a pkg_add -r openssh today and then the > same command in 6 months will it always be the same precompiled binary > sitting on the server? Or are they updated with patches from time to > time? how does the openssh port binary differ from the oepnssh system > binary? I have looked all through the handbook and faq's but could not > find a definitive answer. > > Thanks > Kevin McKay > > - Original Message - > From: "Bryan Cassidy" <[EMAIL PROTECTED]> > To: "Kevin McKay" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Wednesday, November 19, 2003 11:18 PM > Subject: Re: Security question > > > > I don't know anything about using sysinstall for security > > patches/upgrades etc. WHat your looking for I think is cvsup. Please > > read the handbook on Using CVSUP to get the latests source updates, > > security patches for your release and even updating to a different > > RELEASE or -CURRENT or -STABLE. > > > > On Wed, 19 Nov 2003 09:23:37 -0800 > > Kevin McKay <[EMAIL PROTECTED]> wrote: > > > > > So it will not just grab the latest patched binaries for 5.1? I am > > > not > > > > > > sure I understand. Is it just for updating between releases and > > > not for keeping the current release up to date? > > > > > > Kevin > > > > > > Lowell Gilbert wrote: > > > > > > >"Kevin McKay" <[EMAIL PROTECTED]> writes: > > > > > > > > > > > > > > > >>I have read through the documentation but have not been able to > > > >find>a definite answer. I am running a pretty core install of 5.1 > > > >minimal>+ bind9, postfix, apache, ssh, no ports collection. Here > > > >is my>question. When I run the binary update from sysinstall will > > > >that>take care of the earlier ssh vulnerability and update apache > > > >postfix>and bind to the most current version? > > > >> > > > >> > > > > > > > >You normally need to run the sysinstall from the version you're > > > >updating to. You could configure your system's sysinstall to > > > >load in the later version, and it should be compatible, but I > > > >don't know the syntax for that offhand... > > > > > > > > > > > > > > ___ > > > [EMAIL PROTECTED] mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > > To unsubscribe, send any mail to > > > "[EMAIL PROTECTED]" > > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/vJfJjnOL7dYm/EQRAh42AJ9IoVVzzRF8Qb9ykPGV2twsFfpHIwCg4uMO QzUGdPvRWH7Y6Kf8NzRAIj0= =U+z7 -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question
Thanks Bryan, Two other questions, if I do a pkg_add -r openssh today and then the same command in 6 months will it always be the same precompiled binary sitting on the server? Or are they updated with patches from time to time? how does the openssh port binary differ from the oepnssh system binary? I have looked all through the handbook and faq's but could not find a definitive answer. Thanks Kevin McKay - Original Message - From: "Bryan Cassidy" <[EMAIL PROTECTED]> To: "Kevin McKay" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, November 19, 2003 11:18 PM Subject: Re: Security question > I don't know anything about using sysinstall for security > patches/upgrades etc. WHat your looking for I think is cvsup. Please > read the handbook on Using CVSUP to get the latests source updates, > security patches for your release and even updating to a different > RELEASE or -CURRENT or -STABLE. > > On Wed, 19 Nov 2003 09:23:37 -0800 > Kevin McKay <[EMAIL PROTECTED]> wrote: > > > So it will not just grab the latest patched binaries for 5.1? I am not > > > > sure I understand. Is it just for updating between releases and not > > for keeping the current release up to date? > > > > Kevin > > > > Lowell Gilbert wrote: > > > > >"Kevin McKay" <[EMAIL PROTECTED]> writes: > > > > > > > > > > > >>I have read through the documentation but have not been able to find > > >>a definite answer. I am running a pretty core install of 5.1 minimal > > >>+ bind9, postfix, apache, ssh, no ports collection. Here is my > > >>question. When I run the binary update from sysinstall will that > > >>take care of the earlier ssh vulnerability and update apache postfix > > >>and bind to the most current version? > > >> > > >> > > > > > >You normally need to run the sysinstall from the version you're > > >updating to. You could configure your system's sysinstall to load in > > >the later version, and it should be compatible, but I don't know the > > >syntax for that offhand... > > > > > > > > > > ___ > > [EMAIL PROTECTED] mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question
I don't know anything about using sysinstall for security patches/upgrades etc. WHat your looking for I think is cvsup. Please read the handbook on Using CVSUP to get the latests source updates, security patches for your release and even updating to a different RELEASE or -CURRENT or -STABLE. On Wed, 19 Nov 2003 09:23:37 -0800 Kevin McKay <[EMAIL PROTECTED]> wrote: > So it will not just grab the latest patched binaries for 5.1? I am not > > sure I understand. Is it just for updating between releases and not > for keeping the current release up to date? > > Kevin > > Lowell Gilbert wrote: > > >"Kevin McKay" <[EMAIL PROTECTED]> writes: > > > > > > > >>I have read through the documentation but have not been able to find > >>a definite answer. I am running a pretty core install of 5.1 minimal > >>+ bind9, postfix, apache, ssh, no ports collection. Here is my > >>question. When I run the binary update from sysinstall will that > >>take care of the earlier ssh vulnerability and update apache postfix > >>and bind to the most current version? > >> > >> > > > >You normally need to run the sysinstall from the version you're > >updating to. You could configure your system's sysinstall to load in > >the later version, and it should be compatible, but I don't know the > >syntax for that offhand... > > > > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question
I don't know anything about using sysinstall for security patches/upgrades etc. WHat your looking for I think is cvsup. Please read the handbook on Using CVSUP to get the latests source updates, security patches for your release and even updating to a different RELEASE or -CURRENT or -STABLE. On Wed, 19 Nov 2003 09:23:37 -0800 Kevin McKay <[EMAIL PROTECTED]> wrote: > So it will not just grab the latest patched binaries for 5.1? I am not > > sure I understand. Is it just for updating between releases and not > for keeping the current release up to date? > > Kevin > > Lowell Gilbert wrote: > > >"Kevin McKay" <[EMAIL PROTECTED]> writes: > > > > > > > >>I have read through the documentation but have not been able to find > >>a definite answer. I am running a pretty core install of 5.1 minimal > >>+ bind9, postfix, apache, ssh, no ports collection. Here is my > >>question. When I run the binary update from sysinstall will that > >>take care of the earlier ssh vulnerability and update apache postfix > >>and bind to the most current version? > >> > >> > > > >You normally need to run the sysinstall from the version you're > >updating to. You could configure your system's sysinstall to load in > >the later version, and it should be compatible, but I don't know the > >syntax for that offhand... > > > > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question
So it will not just grab the latest patched binaries for 5.1? I am not sure I understand. Is it just for updating between releases and not for keeping the current release up to date? Kevin Lowell Gilbert wrote: "Kevin McKay" <[EMAIL PROTECTED]> writes: I have read through the documentation but have not been able to find a definite answer. I am running a pretty core install of 5.1 minimal + bind9, postfix, apache, ssh, no ports collection. Here is my question. When I run the binary update from sysinstall will that take care of the earlier ssh vulnerability and update apache postfix and bind to the most current version? You normally need to run the sysinstall from the version you're updating to. You could configure your system's sysinstall to load in the later version, and it should be compatible, but I don't know the syntax for that offhand... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question
"Kevin McKay" <[EMAIL PROTECTED]> writes: > I have read through the documentation but have not been able to find > a definite answer. I am running a pretty core install of 5.1 minimal > + bind9, postfix, apache, ssh, no ports collection. Here is my > question. When I run the binary update from sysinstall will that > take care of the earlier ssh vulnerability and update apache postfix > and bind to the most current version? You normally need to run the sysinstall from the version you're updating to. You could configure your system's sysinstall to load in the later version, and it should be compatible, but I don't know the syntax for that offhand... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question
I've never used sysinstall for anything but installing the operating system. I'm sure what you want is cvsup. Use the /usr/share/examples/cvsup/standard-supfile for updating source then follow instructions in handbook on make world to update the system. On Tue, 18 Nov 2003 21:09:03 -0800 "Kevin McKay" <[EMAIL PROTECTED]> wrote: > Hello, > > I have read through the documentation but have not been able to find a > definite answer. I am running a pretty core install of 5.1 minimal + > bind9, postfix, apache, ssh, no ports collection. Here is my question. > When I run the binary update from sysinstall will that take care of > the earlier ssh vulnerability and update apache postfix and bind to > the most current version? > > Thanks > Kevin McKay > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Security question
Hello, I have read through the documentation but have not been able to find a definite answer. I am running a pretty core install of 5.1 minimal + bind9, postfix, apache, ssh, no ports collection. Here is my question. When I run the binary update from sysinstall will that take care of the earlier ssh vulnerability and update apache postfix and bind to the most current version? Thanks Kevin McKay ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Beginner Security Question
On Mon, Nov 17, 2003 at 04:42:20PM -0800, Jon Cavalier wrote: > so now my question is, since i haven't really crossed > the next bridge which is to familiarize myself fully > with the security aspects of freebsd.. > > is this thing safe? Yes. You have to do three thing just like you have to do with windows. 1. Setup a firewall (FreeBSD has two options availible in the system for this) 2. Update your system from time to time. 3. Don't have easy passwords. > can i leave my machine online while i go to work, without someone > easily popping in and planting a rootkit? I do. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Beginner Security Question
Using Mouse copy/paste function. FBSD has an built in copy/paste function which is not enabled by default. You will find it very useful when editing a file or any time you want to copy & paste some message from your screen to a file. There is no 'cut' function as we know it from MS/windows. Copy and paste functions in the virtual console assume that there are three buttons on the mouse. The logical button 1 (logical left) selects a region of text in the console and copies it to the paste buffer. The logical button 3 (logical right) extends the selected region. The logical button 2 (logical middle) pastes the selected text at the text cursor position. If your mouse has only two buttons, the middle, `paste' button is not available by default. To obtain the paste function for an 2 button mouse, use the moused_flags= option of rc.conf with the -m 2=3 value to assign the physical right button to the logical middle button. If you man moused to read the manual documentation, you will see that they call it cut/paste. That is an error in the man info, just think of it as copy/paste. moused_enable="YES" moused_port="/dev/psm0" # you may have different device here, that's ok moused_type="auto" moused_flags="-m 2=3" # config for 2 button mouse -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jon Cavalier Sent: Monday, November 17, 2003 7:42 PM To: [EMAIL PROTECTED] Subject: Beginner Security Question hello, after lots of research and configuration, i finally have a freebsd box with a comfortable custom interface, lots of multimedia bells and whistles, and shortcuts to all of my most-used applications. i'm still fumbling with text, in that i haven't found a way to cut and paste from one terminal window to another (i would welcome any suggestions as to how to implement this, if it's even possible). but for the most part i can do everything i could do with my win and mac machines before i started on this enlighting bsd journey, quite reliably. so now my question is, since i haven't really crossed the next bridge which is to familiarize myself fully with the security aspects of freebsd.. is this thing safe? what i mean is, how does the security of a stock freebsd 4.7 install and xfree86, using dhcp to access the internet compare with say a stock windows or mac computer? i'd like to start enjoying mozilla, irc, etc., but since i've used this machine for development only, i'm curious how it stands up. can i leave my machine online while i go to work, without someone easily popping in and planting a rootkit? i'm already aware of programs like tripwire, nessus, and nmap, which came to me highly recommended, but i'm just not there yet with the configuration. i'm also behind a basic $40 router firewall so i'm guessing that i probably don't have much more to worry about than most average pc users do (probably a lot LESS giving the incessant patching i've had to do with my xp box). i'd be grateful for any information or experiences you can share. thanks in advance, j __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Beginner Security Question
hello, after lots of research and configuration, i finally have a freebsd box with a comfortable custom interface, lots of multimedia bells and whistles, and shortcuts to all of my most-used applications. i'm still fumbling with text, in that i haven't found a way to cut and paste from one terminal window to another (i would welcome any suggestions as to how to implement this, if it's even possible). but for the most part i can do everything i could do with my win and mac machines before i started on this enlighting bsd journey, quite reliably. so now my question is, since i haven't really crossed the next bridge which is to familiarize myself fully with the security aspects of freebsd.. is this thing safe? what i mean is, how does the security of a stock freebsd 4.7 install and xfree86, using dhcp to access the internet compare with say a stock windows or mac computer? i'd like to start enjoying mozilla, irc, etc., but since i've used this machine for development only, i'm curious how it stands up. can i leave my machine online while i go to work, without someone easily popping in and planting a rootkit? i'm already aware of programs like tripwire, nessus, and nmap, which came to me highly recommended, but i'm just not there yet with the configuration. i'm also behind a basic $40 router firewall so i'm guessing that i probably don't have much more to worry about than most average pc users do (probably a lot LESS giving the incessant patching i've had to do with my xp box). i'd be grateful for any information or experiences you can share. thanks in advance, j __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security question (simple).
I wonder if the better policy is to not run inherently insecure applications (Bto begin with. In theory if no-one can get to that box or make use of that (Bapplication from the internet then your only threats become internal ones. (B (BJust for curiosity sake what does nmap tell you about your box/interface (Bfrom an outside perspective ? Another great check is sockstat -4 which will (Blist the services running and the IP/port number there running on. (B (BHTH (B (BLukeK (B (B- Original Message - (BFrom: "Lewis Thompson" <[EMAIL PROTECTED]> (BTo: "FreeBSD-questions" <[EMAIL PROTECTED]> (BSent: 2003$BG/(B8$B7n(B23$BF|(B 9:08 (BSubject: Security question (simple). (B (B (B___ (B[EMAIL PROTECTED] mailing list (Bhttp://lists.freebsd.org/mailman/listinfo/freebsd-questions (BTo unsubscribe, send any mail to "[EMAIL PROTECTED]"
Security question (simple).
Hi, I'm fairly new to network/machine security (but I know enough to write some firewall rules, just the basics. I guess I'm getting on for novice, or something ;) I'm running two jails on my box, which has a dialup connection to the 'net. It's all firewalled off and only certain things are available from outside. For incoming WWW I have some port-forwarding going on (natd), which bounces it to the httpd running in the jail. Am I right in thinking if I am running some inherently insecure application there is ABSOLUTELY NO WAY anybody can exploit it if it's not listening on the dial-up interface? I mean, without rooting the host system first. Or, if it's not, it's still pretty hard, right? -lewiz. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:[EMAIL PROTECTED] | jab:[EMAIL PROTECTED] | url:http://lewiz.net |- pgp0.pgp Description: PGP signature
Re: procmail security question
Today Dick Hoogendijk wrote: > Maybe a silly question but still, security has to be as high as > possible, so, here it is: > > I installed procmail and got the fbsd warning about the program running > with set user and group ID (root/mail) known as a security risk. > What about this message? Procmail has persmission 6755. Is it nessacery > for the prog to be world readable/executable? do I need to set things > different or do I see ghosts? :-)) How do you use procmail? Do you use it with sendmail? Is procmail the local delivery agent or invoked from the user ~/.forward* file? Is sendmail setuid root or running as root (confRUN_AS_USER/RunAsUser)? So there is many open question. Drop the setuid/setgid bits, and see what happens. -andrew To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
procmail security question
Maybe a silly question but still, security has to be as high as possible, so, here it is: I installed procmail and got the fbsd warning about the program running with set user and group ID (root/mail) known as a security risk. What about this message? Procmail has persmission 6755. Is it nessacery for the prog to be world readable/executable? do I need to set things different or do I see ghosts? :-)) -- dick -- http://www.nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.7 ++ Debian GNU/Linux (Woody) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: security question - tcpdump
On Tue, Jul 16, 2002 at 02:37:15AM -0400, David Banning wrote: > I am trying to determine how people would read my port info and > pickup passwords and such. From everything I have read so far > about tcpdump and similar programs, doesn't the program have to be > run as root from -within- your system? On FreeBSD systems it just has to be run as a user with read access to /dev/bpf?. By default, that is root only. Yes, running tcpdump on the target system is probably most effective, as you'll capture the most traffic. Running it on the systems you're connecting to or on routers between those end points is almost as good. If you, or any of the networks your packets traverse, are using a hub rather than a switch, then another machine on one of those networks would work very well. Even if you're on a switched network, you can play tricks with arp to fool the switch into sending you a copy of the traffic for another host. In short, if you don't have complete control over the whole network path, and generally even if you do, use cryptography to protect your sensitive data. As for working out what ports are open or closed on your machine, check out the security/nmap port. If there is any sort of network access to your systems, it's extremely difficult to prevent someone scanning you and mapping out what IP numbers are in use and what open ports there are. It's considerably easier to make it impossible for anyone to do that without leaving obvious traces in log files. The best strategy is to scan your own machines youself and make sure that you only leave open the ports belonging to the servers you actually need, and that those servers are adequately secured. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
security question - tcpdump
I am trying to determine how people would read my port info and pickup passwords and such. From everything I have read so far about tcpdump and similar programs, doesn't the program have to be run as root from -within- your system? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message