OT: Security question (openssl vs openssh)

[Mark Moellering]

Everyone,
I am looking into setting up a webserver to hold some very sensitive 
information.  I am trying to figure out which is more secure, forcing 
any web connections to be done using an ssh tunnel or forcing ssl.
I have not been able to figure out if one is definitively much more 
secure than another or if they are close to the same.  I would have 
initially thought the ssh tunnel was more secure but knowing that ssl 
can use AES-256, I am now wondering if that isn't adding a complexity 
for little extra security.


Thanks in advance

Mark Moellering
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: OT: Security question (openssl vs openssh)

[Maxim Khitrov]

On Tue, May 3, 2011 at 10:22 AM, Mark Moellering m...@msen.com wrote:
 Everyone,
 I am looking into setting up a webserver to hold some very sensitive
 information.  I am trying to figure out which is more secure, forcing any
 web connections to be done using an ssh tunnel or forcing ssl.
 I have not been able to figure out if one is definitively much more secure
 than another or if they are close to the same.  I would have initially
 thought the ssh tunnel was more secure but knowing that ssl can use AES-256,
 I am now wondering if that isn't adding a complexity for little extra
 security.

 Thanks in advance

 Mark Moellering

I don't think there is any extra security in tunneling an HTTP
connection over SSH. Use authentication is a different matter, but the
encryption algorithms are the same. Most web servers have an option of
configuring what ciphers are allowed (same as OpenSSH, by the way), so
you can easily restrict HTTPS connections to just AES-256 or any other
cipher you prefer.

The bigger issue will be how to prevent MITM attacks. With SSH, you
have to make sure that the clients have the correct public key ahead
of time or provide a way to verify the key during the first
connection.

With HTTPS you can get a certificate from an existing CA, which allows
clients to verify the server identity without any extra work on your
part. As an alternative, you can create your own CA and distribute the
public key to the clients, which is pretty similar to SSH, except that
it's much easier to change the server certificate later on.

- Max
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: OT: Security question (openssl vs openssh)

[Jon Radel]

On 5/3/11 10:22 AM, Mark Moellering wrote:


Everyone,
I am looking into setting up a webserver to hold some very sensitive
information. I am trying to figure out which is more secure, forcing any
web connections to be done using an ssh tunnel or forcing ssl.
I have not been able to figure out if one is definitively much more
secure than another or if they are close to the same. I would have
initially thought the ssh tunnel was more secure but knowing that ssl
can use AES-256, I am now wondering if that isn't adding a complexity
for little extra security.

Thanks in advance

Mark Moellering


I'd say that that's a really hard problem to answer definitively, but my 
gut reaction is that the less complex solution is less likely to involve 
configuration screw-ups which compromise security.  Particularly if 
other administrators are or will be involved, that which is too clever 
just begs for innocent, even if clueless, changes that compromise 
assumptions upon which the security depends.


In any case, I'd worry more about how I handle user authentication and 
authorization than squeezing the last little drop of warm fuzzies out of 
the encryption setup.  To the extent that if you already have a fully 
trusted infrastructure in place for ssh keys, you might want to consider 
using ssh tunnels for that reason alone.


Or, to put it another way, if your security is going to fall, it's much 
more likely that it's going to involve a poor configuration choice, a 
user that screws up big time, or a back door to the data, than a 
successful technical attack against TSL or SSH.


--Jon Radel
j...@radel.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: OT: Security question (openssl vs openssh)

[Bill Campbell]

On Tue, May 03, 2011, Mark Moellering wrote:
 Everyone,
 I am looking into setting up a webserver to hold some very sensitive  
 information.  I am trying to figure out which is more secure, forcing  
 any web connections to be done using an ssh tunnel or forcing ssl.
 I have not been able to figure out if one is definitively much more  
 secure than another or if they are close to the same.  I would have  
 initially thought the ssh tunnel was more secure but knowing that ssl  
 can use AES-256, I am now wondering if that isn't adding a complexity  
 for little extra security.

Our solution for critical services like this is to run the
service only on a private LAN segment which is available from the
outside world only through an OpenVPN connection.  The OpenVPN
connection requires unique keys for each client which are easily
revoked if a laptop is lost or stolen or on employee termination.

It also isolates the web service from other external attacks via
insecure PHP scripts and such.

Bill
-- 
INTERNET:   b...@celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:  (206) 236-1676  Mercer Island, WA 98040-0820
Fax:(206) 232-9186  Skype: jwccsllc (206) 855-5792

If the personal freedoms guaranteed by the Constitution inhibit the
government's ability to govern the people, we should look to limit those
guarantees.  -- President Bill Clinton, August 12, 1993
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Wine security question...

[Christopher Joyner]

Is it possible to use wine in a secure way?  I had a warning about it after 
installing it from the ports.  So I was wondering if it's possible to limit it 
to a certain area.  Like a sandbox?



 In Love in Jesus Christ, Or Lord and Savior.


For God so loved the world, that he gave his only *begotten Son, that whosoever 
believeth in him should not perish, but have everlasting life.
--John 3:16



  
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Wine security question...

[Subhro]

man jail

Thanks
Subhro

On Fri, Aug 29, 2008 at 8:16 AM, Christopher Joyner
[EMAIL PROTECTED] wrote:
 Is it possible to use wine in a secure way?  I had a warning about it after 
 installing it from the ports.  So I was wondering if it's possible to limit 
 it to a certain area.  Like a sandbox?



  In Love in Jesus Christ, Or Lord and Savior.


 For God so loved the world, that he gave his only *begotten Son, that 
 whosoever believeth in him should not perish, but have everlasting life.
 --John 3:16




 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Ksh Shell script security question.

[Thomas Dickey]

On Wed, Feb 14, 2007 at 10:57:12PM -0600, Dan Nelson wrote:
 In the last episode (Feb 14), Dak Ghatikachalam said:
  I am am puzzled how to secure this code when this shell script is
  being executed.
  
  ${ORACLE_HOME}/bin/sqlplus -s  EOF | tee -a  ${RESTOREFILE}
 connect system/ugo8990d
 set heading off
 set feedback off
 set pagesize 500
 select 'SCN_TO_USE | '||max(next_change#)   from V\$LOG_HISTORY;
 quit
  EOF
  
  When I run this code from shell script in /tmp directory it spews
  file called /tmp/sh03400.000 in that I have this entire code visible.
 
 I bet if you check the permissions you'll find the file has mode 0600,
 which means only the user running the script can read the file (at
 least that's what a test using the pdksh port does on my system). 
 ksh93 does have a problem, though: it opens a file and immediately
 unlinks it, but the file is world-readable for a short time.

Doesn't it (ksh93, etc) pay attention to umask?
If it does, the script should use that feature.

 
 Both ksh variants honor the TMPDIR variable, though, so if you create a
 ~/tmp directory, chmod it so only you can access it, then set
 TMPDIR=~/tmp , you will be secure even if you're using ksh93.

relatively (it's not a given that people haven't opened up ~/tmp)

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net


pgpKiemVJGeeu.pgp
Description: PGP signature

Re: Ksh Shell script security question.

[Dan Nelson]

In the last episode (Feb 15), Thomas Dickey said:
 On Wed, Feb 14, 2007 at 10:57:12PM -0600, Dan Nelson wrote:
  In the last episode (Feb 14), Dak Ghatikachalam said:
   I am am puzzled how to secure this code when this shell script is
   being executed.
   
   ${ORACLE_HOME}/bin/sqlplus -s  EOF | tee -a  ${RESTOREFILE}
[...]
   EOF
   
   When I run this code from shell script in /tmp directory it spews
   file called /tmp/sh03400.000 in that I have this entire code
   visible.
  
  I bet if you check the permissions you'll find the file has mode
  0600, which means only the user running the script can read the
  file (at least that's what a test using the pdksh port does on my
  system).  ksh93 does have a problem, though: it opens a file and
  immediately unlinks it, but the file is world-readable for a short
  time.
 
 Doesn't it (ksh93, etc) pay attention to umask?
 If it does, the script should use that feature.

It does honor umask, but I think temp files should be created mode 0600
in all cases.  A person may have a umask of 022 to allow normal files
to be read by group members but still not want them to see
here-document contents.  They may not even realize that their shell is
using tempfiles.  Some shells use pipes (bash and ash do; zsh uses an
0600 tempfile that it immediately unlinks; Solaris sh uses an 0600
tempfile).
 
  Both ksh variants honor the TMPDIR variable, though, so if you create a
  ~/tmp directory, chmod it so only you can access it, then set
  TMPDIR=~/tmp , you will be secure even if you're using ksh93.
 
 relatively (it's not a given that people haven't opened up ~/tmp)

I think if someone has gone to the trouble of creating a private ~/tmp
directory, they probably know what they're doing and know the
consequences of opening it up.

-- 
Dan Nelson
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Ksh Shell script security question.( SOLVED)

[Dak Ghatikachalam]

On 2/15/07, Dan Nelson [EMAIL PROTECTED] wrote:


In the last episode (Feb 15), Thomas Dickey said:
 On Wed, Feb 14, 2007 at 10:57:12PM -0600, Dan Nelson wrote:
  In the last episode (Feb 14), Dak Ghatikachalam said:
   I am am puzzled how to secure this code when this shell script is
   being executed.
  
   ${ORACLE_HOME}/bin/sqlplus -s  EOF | tee -a  ${RESTOREFILE}
[...]
   EOF
  
   When I run this code from shell script in /tmp directory it spews
   file called /tmp/sh03400.000 in that I have this entire code
   visible.
 
  I bet if you check the permissions you'll find the file has mode
  0600, which means only the user running the script can read the
  file (at least that's what a test using the pdksh port does on my
  system).  ksh93 does have a problem, though: it opens a file and
  immediately unlinks it, but the file is world-readable for a short
  time.

 Doesn't it (ksh93, etc) pay attention to umask?
 If it does, the script should use that feature.

It does honor umask, but I think temp files should be created mode 0600
in all cases.  A person may have a umask of 022 to allow normal files
to be read by group members but still not want them to see
here-document contents.  They may not even realize that their shell is
using tempfiles.  Some shells use pipes (bash and ash do; zsh uses an
0600 tempfile that it immediately unlinks; Solaris sh uses an 0600
tempfile).

  Both ksh variants honor the TMPDIR variable, though, so if you create
a
  ~/tmp directory, chmod it so only you can access it, then set
  TMPDIR=~/tmp , you will be secure even if you're using ksh93.

 relatively (it's not a given that people haven't opened up ~/tmp)

I think if someone has gone to the trouble of creating a private ~/tmp
directory, they probably know what they're doing and know the
consequences of opening it up.




I appreciate all your response.

Thanks a lot for  insight  on unix fundementals

The issue I had is solved by doing  umask 077  at the start  of the script,
so what it did was it created the temporary files with  read+write  for
owner of the file , and in my process I also create directories while RMAN
backup is being run, so that umask 077 for directory gave  rwx for
directories while creation

This problem I had is solved now, it is secure

Thanks
Dak


--
Dan Nelson
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
[EMAIL PROTECTED]


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Ksh Shell script security question.

[David Robillard]

I am am puzzled how to secure this code when this shell script is
being executed.

${ORACLE_HOME}/bin/sqlplus -s  EOF | tee -a  ${RESTOREFILE}
   connect system/ugo8990d
   set heading off
   set feedback off
   set pagesize 500
   select 'SCN_TO_USE | '||max(next_change#)   from V\$LOG_HISTORY;
   quit
EOF

When I run this code from shell script in /tmp directory it spews
file called /tmp/sh03400.000 in that I have this entire code visible.


Hi Dak,

The reason you can see the code in ${RESTOREFILE} is because of the
tee command. With `tee -a` you're actually asking to have the code
installed in ${RESTOREFILE}.

Now, one way to secure this is to set a restrictive umask at the start
of the script. For example, setting `umask 0077` will cause your
script to generate files which will only be read/write for the user
who runs the script. But the files will still have you username/passwd
in them.

To remove the username/passwd from the files, may I suggest you change
your code to include the username/passwd into the sqlplus command.
Like this for example:

export ORACLE_SID=your_oracle_sid

sqlplus ${USERNAME}/${PASSWORD} -s -EOF | tee -a ${RESTOREFILE}.
   set heading off
   set feedback off
   set pagesize 500
   select 'SCN_TO_USE | '||max(next_change#)   from V\$LOG_HISTORY;
   quit
EOF

This will still generate a file, but the username/password won't be
there. Of course, that means you need to hide your credentials in an
encrypted file eslwhere on your machine.
You can then setup code that will check the md5 sum of the password
file and use something like OpenSSL or GPG to encrypt/decrypt the
file.

Have fun,

David
--
David Robillard
UNIX systems administrator  Oracle DBA
CISSP, RHCE  Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Ksh Shell script security question.

[Dak Ghatikachalam]

Hi Freebsd

I am am puzzled how to secure this code when this shell script is being
executed.

${ORACLE_HOME}/bin/sqlplus -s  EOF | tee -a  ${RESTOREFILE}
   connect system/ugo8990d
   set heading off
   set feedback off
   set pagesize 500
   select 'SCN_TO_USE | '||max(next_change#)   from V\$LOG_HISTORY;
   quit
EOF


When I run this code from shell script in /tmp directory it spews file
called /tmp/sh03400.000
in that  I have this entire code visible.

connect system/ugo8990d
set heading off
   set feedback off
   set pagesize 500
   select 'SCN_TO_USE | '||max(next_change#)   from V\$LOG_HISTORY;
   quit

How do I secure that part of code, between
those EOF start and end.

It is just terrible to see the password all shown by the temporary  file the
shell creates,just for security reasons  I dont want any other users in
the system to view my code which contains the password.

If I have long running sql or large program anything I put in between EOF is
shown by these /tmp/sh*  files

Any idea how to secure this

Thanks
Dak
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Ksh Shell script security question.

[Dan Nelson]

In the last episode (Feb 14), Dak Ghatikachalam said:
 I am am puzzled how to secure this code when this shell script is
 being executed.
 
 ${ORACLE_HOME}/bin/sqlplus -s  EOF | tee -a  ${RESTOREFILE}
connect system/ugo8990d
set heading off
set feedback off
set pagesize 500
select 'SCN_TO_USE | '||max(next_change#)   from V\$LOG_HISTORY;
quit
 EOF
 
 When I run this code from shell script in /tmp directory it spews
 file called /tmp/sh03400.000 in that I have this entire code visible.

I bet if you check the permissions you'll find the file has mode 0600,
which means only the user running the script can read the file (at
least that's what a test using the pdksh port does on my system). 
ksh93 does have a problem, though: it opens a file and immediately
unlinks it, but the file is world-readable for a short time.

Both ksh variants honor the TMPDIR variable, though, so if you create a
~/tmp directory, chmod it so only you can access it, then set
TMPDIR=~/tmp , you will be secure even if you're using ksh93.

-- 
Dan Nelson
[EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

User Security Question?

[VeeJay]

Hello Friends

Just had a debate with a collegue at office, but still lack knowledge on
FreeBSD security :(


I have few questions.

1. What previligies a standard user (NOT member of Wheel Group) has on a
FreeBSD Box?

2. How can he/she damages the systems or make a breach?

3. If that particular user is willing to damage the FreeBSD box,
so which locations OR files are more likely to be damaged or affected?

4. How dangerous a Standard User could be to a FreeBSD box?

5. What sort of possible methods he/she can apply to hack the system and
create a breach into the system?

6. How can we check that if a system is affected by a Bad User?

I would really appreciate your comments in this regard

Cheers!!!
--
Thanks!

BR / vj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: User Security Question?

[Oliver Fromme]

VeeJay [EMAIL PROTECTED] wrote:
  Just had a debate with a collegue at office, but still lack knowledge on
  FreeBSD security :(

For a start, I recommend you read the security(7) manual
page.  It should give at least rough answer to most of
your questions.  Another good reading is chapter 14 of
the FreeBSD Handbook, titled Security.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH  Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

  Can the denizens of this group enlighten me about what the
  advantages of Python are, versus Perl ?
python is more likely to pass unharmed through your spelling
checker than perl.
-- An unknown poster and Fredrik Lundh
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: User Security Question?

[VeeJay]

On 1/9/07, VeeJay [EMAIL PROTECTED] wrote:



Hello Friends

Just had a debate with a collegue at office, but still lack knowledge on
FreeBSD security :(


I have few questions.

1. What previligies a standard user (NOT member of Wheel Group) has on a
FreeBSD Box?

2. How can he/she damages the systems or make a breach?

3. If that particular user is willing to damage the FreeBSD box,
so which locations OR files are more likely to be damaged or affected?

4. How dangerous a Standard User could be to a FreeBSD box?

5. What sort of possible methods he/she can apply to hack the system and
create a breach into the system?

6. How can we check that if a system is affected by a Bad User?

I would really appreciate your comments in this regard

Cheers!!!
--
Thanks!

BR / vj





--
Thanks!

BR / vj
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

IMAP-UW Security question

[Jose Borquez]

Just recently installed IMAP-UW through ports and once the install 
finished I got the following security message:


SECURITY REPORT:
 This port has installed the following binaries which execute with
 increased privileges.
/usr/local/libexec/mlock

What can I do to minimize this security risk?  Do I create an mlock user?

Thanks in advance,
Jose

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IMAP-UW Security question

[Frank Steinborn]

Jose Borquez wrote:
 SECURITY REPORT:
  This port has installed the following binaries which execute with
  increased privileges.
 /usr/local/libexec/mlock
 
 What can I do to minimize this security risk?  Do I create an mlock user?

In fact, every port that installs a suid-binary will show this warning.
Creating a user won't help, mlock will run as root (that is what it's
about). Just keep the port up-to-date and it's ok.

Frank
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

VLAN security question

[Doug Lee]

I set up a FreeBSD box to be firewall/NAT/mailserver/etc. for a
company, but that company subsequently went to a VoIP system,
installed a Cisco switch, programmed the switch to route Internet
traffic through the BSD box as before but also to route telephone
traffic NOT through it, then set things up so that the workstations in
the building are plugged into the phones (which have little hubs in
them).  Internet traffic is now on a VLAN, and telephone traffic is on
a different VLAN.  Running tcpdump on a workstation indicates that
VLAN traffic can be seen there (sensible because the phones contain
hubs, not switches).  Tcpdump also shows that people on the Internet
can send packets onto the telephone VLAN (i.e., random packets from
the world can reach the phones and the workstations on that VLAN).
The packets I'm seeing with tcpdump are still encapsulated.

Question:  Is this a security problem?  For example, can a packet be
crafted out there to show up non-encapsulated and on the workstation
network, thus circumventing my FreeBSD firewall?

Up to now, I've been assuming that this network is as secure as the
phones themselves, meaning that if someone can hack a telephone and
make it do things on the network, we have a problem, but otherwise we
don't.  That prospect also bothers me but is probably outside the
scope of my question. :-)


-- 
Doug Lee [EMAIL PROTECTED]
SSB + BART Group [EMAIL PROTECTED]   http://www.bartsite.com
Determine that the thing can and shall be done, and then...find
the way. - Abraham Lincoln
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question - uids of 0

[Justin L. Boss]

toor is a base system user. It is a default user. It is used for several 
reason and is secure as long as no one can access your console directly.

On Monday 16 August 2004 09:57 am, James A. Coulter wrote:
 The following appeared in my latest daily security run output:

  Checking for uids of 0:
  root 0
  toor 0

 This is the first time I've seen this message.

 I checked /etc/passwd and found this:

  root:*:0:0:Charlie :/root:/bin/csh
  toor:*:0:0:Bourne-again Superuser:/root:

 I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a
 small home LAN.

 I ran ps -aux and looked for any processes owned by toor but didn't find
 any.

 Is this something to be concerned about?

 Sorry if this is an obvious question, but I am still very much a newbie
 and trying to learn what I can about security.

 Thanks for your patience,

 Jim
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Security question - uids of 0

[James A. Coulter]

The following appeared in my latest daily security run output:

Checking for uids of 0:
root 0
toor 0

This is the first time I've seen this message.

I checked /etc/passwd and found this:

root:*:0:0:Charlie :/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:

I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a small
home LAN.  

I ran ps -aux and looked for any processes owned by toor but didn't find any.

Is this something to be concerned about?  

Sorry if this is an obvious question, but I am still very much a newbie
and trying to learn what I can about security.

Thanks for your patience,

Jim
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question - uids of 0

[Volker Kindermann]

Hi James,


 The following appeared in my latest daily security run output:
 
   Checking for uids of 0:
   root 0
   toor 0
 
 This is the first time I've seen this message.
 
 I checked /etc/passwd and found this:
 
   root:*:0:0:Charlie :/root:/bin/csh
   toor:*:0:0:Bourne-again Superuser:/root:
 
 I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a
 small home LAN.  
 
 I ran ps -aux and looked for any processes owned by toor but didn't
 find any.

did you install bash? Normally, the bash from ports or packages will
install the toor account so you don't have to change root's shell.

If you installed bash then there's nothing to worry about this entry.
If you don't need it, just use vipw and delete it.

 -volker
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question - uids of 0

[Siddhartha Jain]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
James A. Coulter wrote:
| The following appeared in my latest daily security run output:
|
|   Checking for uids of 0:
|   root 0
|   toor 0
|
| This is the first time I've seen this message.
|
| I checked /etc/passwd and found this:
|
|   root:*:0:0:Charlie :/root:/bin/csh
|   toor:*:0:0:Bourne-again Superuser:/root:
|
| I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a
small
| home LAN.
|
| I ran ps -aux and looked for any processes owned by toor but didn't
find any.
|
| Is this something to be concerned about?
|
| Sorry if this is an obvious question, but I am still very much a newbie
| and trying to learn what I can about security.
http://freebsd.active-venture.com/faq/security.html#TOOR-ACCOUNT
- --
Siddhartha Jain (CISSP)
Consulting Engineer
Netmagic Solutions Pvt Ltd
Bombay - 400063
Phone: +91-22-26850001 Ext.128
Fax  : +91-22-26850002
http://www.netmagicsolutions.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBIM3MOGaxOP7knVwRAv1HAJ4+/67fLaZbpgR3U25vy9xGMLtelQCeKhdO
iTuVWEHFhbH/n+1tXxNIYFY=
=RBsX
-END PGP SIGNATURE-
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question - uids of 0

[Radek Kozlowski]

On Mon, Aug 16, 2004 at 09:57:37AM -0500, James A. Coulter wrote:
 The following appeared in my latest daily security run output:
 
   Checking for uids of 0:
   root 0
   toor 0
 
 This is the first time I've seen this message.
 
 I checked /etc/passwd and found this:
 
   root:*:0:0:Charlie :/root:/bin/csh
   toor:*:0:0:Bourne-again Superuser:/root:
 
 I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a small
 home LAN.  
 
 I ran ps -aux and looked for any processes owned by toor but didn't find any.
 
 Is this something to be concerned about?  
 
 Sorry if this is an obvious question, but I am still very much a newbie
 and trying to learn what I can about security.
 
 Thanks for your patience,

http://www.freebsd.org/doc/faq/security.html#TOOR-ACCOUNT

-Radek
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question - uids of 0

[Jerry McAllister]

 
 The following appeared in my latest daily security run output:
 
   Checking for uids of 0:
   root 0
   toor 0
 
 This is the first time I've seen this message.
 
 I checked /etc/passwd and found this:
 
   root:*:0:0:Charlie :/root:/bin/csh
   toor:*:0:0:Bourne-again Superuser:/root:
 
 I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a small
 home LAN.  
 
 I ran ps -aux and looked for any processes owned by toor but didn't find any.
 
 Is this something to be concerned about?  

No.  It is normal.
It is one of the normal accounts put there in a standard install.
It is essentially a root account by another name.
Some things used to like to use it to own their installed stuff but
avoid using root directly.
I don't know if anything really does that any more.
I sometimes use it as a model pw entry when in vipw for
creating new accounts directly to help avoid missing a field.

 
 Sorry if this is an obvious question, but I am still very much a newbie
 and trying to learn what I can about security.

This has been brought up and answered numerous times in the past.
You might try and search for information on toor account.  You 
should be able to find something.

jerry

 
 Thanks for your patience,
 
 Jim
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]
 

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question - uids of 0

[James A. Coulter]

On Mon, Aug 16, 2004 at 05:01:51PM +0200, Volker Kindermann wrote:
 Hi James,
 
 
  The following appeared in my latest daily security run output:
  
  Checking for uids of 0:
  root 0
  toor 0
  
  This is the first time I've seen this message.
  
  I checked /etc/passwd and found this:
  
  root:*:0:0:Charlie :/root:/bin/csh
  toor:*:0:0:Bourne-again Superuser:/root:
  
  I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a
  small home LAN.  
  
  I ran ps -aux and looked for any processes owned by toor but didn't
  find any.
 
 did you install bash? Normally, the bash from ports or packages will
 install the toor account so you don't have to change root's shell.
 
 If you installed bash then there's nothing to worry about this entry.
 If you don't need it, just use vipw and delete it.
 
  -volker

Thank you Volker - I did install bash several weeks ago, so the sudden
appearance of the message in my daily security run caught my attention.

Thanks to everyone who sent the 
http://www.freebsd.org/doc/faq/security.html#TOOR-ACCOUNT
link. 

Jim 
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Security Question

[Justin]

For some reason this does not look right. I'm using spamassen and I keep 
seeing this on my console. Does anyone know if this is okay or is this a big 
hole in spamassen?

Aug 13 09:06:14 newman kernel: mail.infospamd[57121]: info: setuid to root 
succeeded
Aug 13 09:06:14 newman kernel: 
Aug 13 09:06:14 newman kernel: mail.infospamd[57121]: Still running as root: 
user not specified with -u, not found, or set to root.  Fall back to nobody.
Aug 13 09:06:14 newman kernel: 
Aug 13 09:07:07 newman kernel: mail.infospamd[680]: connection from 
localhost [127.0.0.1] at port 49431

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Newbie Security Question

[James A. Coulter]

I recently got my firewall up and configured (many thanks to JJB and everyone else for 
their help) and have been reading the daily security message from root with a great 
deal of interest.

My question is, when I see entries like this:

Aug  5 17:55:54 sara sshd[2099]: Failed password for root from 209.120.224.13
+port 40515 ssh2
Aug  5 17:55:55 sara sshd[2101]: Failed password for root from 209.120.224.13
+port 60426 ssh2
Aug  5 17:55:55 sara sshd[2103]: Failed password for root from 209.120.224.13
+port 54447 ssh2
Aug  5 17:55:59 sara sshd[2105]: Failed password for root from 209.120.224.13
+port 44460 ssh2

is it safe to assume someone has been trying to hack my system?

I did a whois search on the IP and it went to a provider in Colorado.

I'm asking because I'm curious - thanks again for everyone's help.

Jim C.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Newbie Security Question

[Dan Rue]

On Fri, Aug 06, 2004 at 08:26:01AM -0500, James A. Coulter wrote:
 I recently got my firewall up and configured (many thanks to JJB and everyone else 
 for their help) and have been reading the daily security message from root with a 
 great deal of interest.
 
 My question is, when I see entries like this:
 
 Aug  5 17:55:54 sara sshd[2099]: Failed password for root from 209.120.224.13
 +port 40515 ssh2
 Aug  5 17:55:55 sara sshd[2101]: Failed password for root from 209.120.224.13
 +port 60426 ssh2
 Aug  5 17:55:55 sara sshd[2103]: Failed password for root from 209.120.224.13
 +port 54447 ssh2
 Aug  5 17:55:59 sara sshd[2105]: Failed password for root from 209.120.224.13
 +port 44460 ssh2
 
 is it safe to assume someone has been trying to hack my system?
 
 Jim C.

Hi Jim, 

Yeah, I get these all the time.  I've always chalked it up to random
script kiddies.  Sometimes i get people trying to log in as generic
usernames like admin, guest, etc.  Make sure that PermitRootLogin is
either set to no or commented out in /etc/ssh/sshd_config, and of course
make sure you are using a good root password.

Now, if you really want to work yourself up, start browsing your
httpd-access logs :)

-dan
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Newbie Security Question

[mazpe]

Hello James:

Thats just letting you know that someone from that IP Address tried to
access your system using the root account and the password they provided
failed to authenticate.

Could've been an ssh scanner or something of that nature.

Most likely script kiddies.  

Make sure you do not allow root to login via ssh by setting your
sshd_config PermitRootLogin no.

Use sudo or su - instead.

or you can always use key-based authentication.


Lester A. Mesa
aka: mazpe
-

On Fri, 2004-08-06 at 08:26, James A. Coulter wrote:
 I recently got my firewall up and configured (many thanks to JJB and everyone else 
 for their help) and have been reading the daily security message from root with a 
 great deal of interest.
 
 My question is, when I see entries like this:
 
 Aug  5 17:55:54 sara sshd[2099]: Failed password for root from 209.120.224.13
 +port 40515 ssh2
 Aug  5 17:55:55 sara sshd[2101]: Failed password for root from 209.120.224.13
 +port 60426 ssh2
 Aug  5 17:55:55 sara sshd[2103]: Failed password for root from 209.120.224.13
 +port 54447 ssh2
 Aug  5 17:55:59 sara sshd[2105]: Failed password for root from 209.120.224.13
 +port 44460 ssh2
 
 is it safe to assume someone has been trying to hack my system?
 
 I did a whois search on the IP and it went to a provider in Colorado.
 
 I'm asking because I'm curious - thanks again for everyone's help.
 
 Jim C.
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Updating w. sysinstall (was: Security question)

[Mark Weinem]

Hi Kevin!

On Wed, 19 Nov 2003, Kevin McKay wrote:

 So it will not just grab the latest patched binaries for 5.1? 

Correct.


 Is it just for updating between releases and not
 for keeping the current release up to date?

...also correct, just updating between releases.


Greetings, Mark
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question

[Kevin McKay]

Thanks Bryan,

Two other questions, if I do a pkg_add -r openssh today and then the same
command in 6 months will it always be the same precompiled binary sitting on
the server? Or are they updated with patches from time to time?  how does
the openssh port binary differ from the oepnssh system binary? I have looked
all through the handbook and faq's but could not find a definitive answer.

Thanks
Kevin McKay

- Original Message - 
From: Bryan Cassidy [EMAIL PROTECTED]
To: Kevin McKay [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Wednesday, November 19, 2003 11:18 PM
Subject: Re: Security question


 I don't know anything about using sysinstall for security
 patches/upgrades etc. WHat your looking for I think is cvsup. Please
 read the handbook on Using CVSUP to get the latests source updates,
 security patches for your release and even updating to a different
 RELEASE or -CURRENT or -STABLE.

 On Wed, 19 Nov 2003 09:23:37 -0800
 Kevin McKay [EMAIL PROTECTED] wrote:

  So it will not just grab the latest patched binaries for 5.1? I am not
 
  sure I understand. Is it just for updating between releases and not
  for keeping the current release up to date?
 
  Kevin
 
  Lowell Gilbert wrote:
 
  Kevin McKay [EMAIL PROTECTED] writes:
  
  
  
  I have read through the documentation but have not been able to find
  a definite answer. I am running a pretty core install of 5.1 minimal
  + bind9, postfix, apache, ssh, no ports collection. Here is my
  question. When I run the binary update from sysinstall will that
  take care of the earlier ssh vulnerability and update apache postfix
  and bind to the most current version?
  
  
  
  You normally need to run the sysinstall from the version you're
  updating to.  You could configure your system's sysinstall to load in
  the later version, and it should be compatible, but I don't know the
  syntax for that offhand...
  
  
 
  ___
  [EMAIL PROTECTED] mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-questions
  To unsubscribe, send any mail to
  [EMAIL PROTECTED]


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question

[Bryan Cassidy]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I personally use the ports tree for installing software. To update the
whole ports tree you could run

cvsup -g -L 2 /usr/share/examples/cvsup/ports-supfile

to get the latest ports *with* the patches for that port.

You can also use cvsup to update your source (/usr/src)

I also use portupgrade to update the installed ports. I have never used
pkg_* because I have always felt pretty comfortable with the ports and
feel no need to switch. I'm sure if openssh has some patches/fixes or
whatever done to the package it will be updated so you can use it.
Example. If you used the ports and gaim-8.0 came out but you only had
0.70 or whatever then all you would need to do is update your ports
(like I showed u above) and do a portupgrade gaim and it would update it
with the latest fixes/patches/version changes or whatever and resolve
any depends. you may need. Using the ports is just a personal reference.
I do recommend it though. Plesae check out this for further reading on
cvsup

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html

On Wed, 19 Nov 2003 23:08:06 -0800
Kevin McKay [EMAIL PROTECTED] wrote:

 Thanks Bryan,
 
 Two other questions, if I do a pkg_add -r openssh today and then the
 same command in 6 months will it always be the same precompiled binary
 sitting on the server? Or are they updated with patches from time to
 time?  how does the openssh port binary differ from the oepnssh system
 binary? I have looked all through the handbook and faq's but could not
 find a definitive answer.
 
 Thanks
 Kevin McKay
 
 - Original Message - 
 From: Bryan Cassidy [EMAIL PROTECTED]
 To: Kevin McKay [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Sent: Wednesday, November 19, 2003 11:18 PM
 Subject: Re: Security question
 
 
  I don't know anything about using sysinstall for security
  patches/upgrades etc. WHat your looking for I think is cvsup. Please
  read the handbook on Using CVSUP to get the latests source updates,
  security patches for your release and even updating to a different
  RELEASE or -CURRENT or -STABLE.
 
  On Wed, 19 Nov 2003 09:23:37 -0800
  Kevin McKay [EMAIL PROTECTED] wrote:
 
   So it will not just grab the latest patched binaries for 5.1? I am
   not
  
   sure I understand. Is it just for updating between releases and
   not for keeping the current release up to date?
  
   Kevin
  
   Lowell Gilbert wrote:
  
   Kevin McKay [EMAIL PROTECTED] writes:
   
   
   
   I have read through the documentation but have not been able to
   finda definite answer. I am running a pretty core install of 5.1
   minimal+ bind9, postfix, apache, ssh, no ports collection. Here
   is myquestion. When I run the binary update from sysinstall will
   thattake care of the earlier ssh vulnerability and update apache
   postfixand bind to the most current version?
   
   
   
   You normally need to run the sysinstall from the version you're
   updating to.  You could configure your system's sysinstall to
   load in the later version, and it should be compatible, but I
   don't know the syntax for that offhand...
   
   
  
   ___
   [EMAIL PROTECTED] mailing list
   http://lists.freebsd.org/mailman/listinfo/freebsd-questions
   To unsubscribe, send any mail to
   [EMAIL PROTECTED]
 
 
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/vJfJjnOL7dYm/EQRAh42AJ9IoVVzzRF8Qb9ykPGV2twsFfpHIwCg4uMO
QzUGdPvRWH7Y6Kf8NzRAIj0=
=U+z7
-END PGP SIGNATURE-
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question

[Peter Risdon]

Kevin McKay [EMAIL PROTECTED] writes:

You normally need to run the sysinstall from the version you're

updating to.  You could configure your system's sysinstall to
load in the later version, and it should be compatible, but I
don't know the syntax for that offhand...
 

For reference, you change the version in the options menu of sysinstall, 
then go to the configure menu and install packages/distributions as needed.

But I echo the comments about cvsup/portupgrade - definately a better 
way to go.

PWR.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question

[Bryan Cassidy]

I've never used sysinstall for anything but installing the operating
system. I'm sure what you want is cvsup. Use the
/usr/share/examples/cvsup/standard-supfile for updating source then
follow instructions in handbook on make world to update the system.

On Tue, 18 Nov 2003 21:09:03 -0800
Kevin McKay [EMAIL PROTECTED] wrote:

 Hello,
 
 I have read through the documentation but have not been able to find a
 definite answer. I am running a pretty core install of 5.1 minimal +
 bind9, postfix, apache, ssh, no ports collection. Here is my question.
 When I run the binary update from sysinstall will that take care of
 the earlier ssh vulnerability and update apache postfix and bind to
 the most current version? 
 
 Thanks
 Kevin McKay
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question

[Lowell Gilbert]

Kevin McKay [EMAIL PROTECTED] writes:

 I have read through the documentation but have not been able to find
 a definite answer. I am running a pretty core install of 5.1 minimal
 + bind9, postfix, apache, ssh, no ports collection. Here is my
 question. When I run the binary update from sysinstall will that
 take care of the earlier ssh vulnerability and update apache postfix
 and bind to the most current version?

You normally need to run the sysinstall from the version you're
updating to.  You could configure your system's sysinstall to load in
the later version, and it should be compatible, but I don't know the
syntax for that offhand...
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question

[Kevin McKay]

So it will not just grab the latest patched binaries for 5.1? I am not 
sure I understand. Is it just for updating between releases and not for 
keeping the current release up to date?

Kevin

Lowell Gilbert wrote:

Kevin McKay [EMAIL PROTECTED] writes:

 

I have read through the documentation but have not been able to find
a definite answer. I am running a pretty core install of 5.1 minimal
+ bind9, postfix, apache, ssh, no ports collection. Here is my
question. When I run the binary update from sysinstall will that
take care of the earlier ssh vulnerability and update apache postfix
and bind to the most current version?
   

You normally need to run the sysinstall from the version you're
updating to.  You could configure your system's sysinstall to load in
the later version, and it should be compatible, but I don't know the
syntax for that offhand...
 

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question

[Bryan Cassidy]

I don't know anything about using sysinstall for security
patches/upgrades etc. WHat your looking for I think is cvsup. Please
read the handbook on Using CVSUP to get the latests source updates,
security patches for your release and even updating to a different
RELEASE or -CURRENT or -STABLE.

On Wed, 19 Nov 2003 09:23:37 -0800
Kevin McKay [EMAIL PROTECTED] wrote:

 So it will not just grab the latest patched binaries for 5.1? I am not
 
 sure I understand. Is it just for updating between releases and not
 for keeping the current release up to date?
 
 Kevin
 
 Lowell Gilbert wrote:
 
 Kevin McKay [EMAIL PROTECTED] writes:
 
   
 
 I have read through the documentation but have not been able to find
 a definite answer. I am running a pretty core install of 5.1 minimal
 + bind9, postfix, apache, ssh, no ports collection. Here is my
 question. When I run the binary update from sysinstall will that
 take care of the earlier ssh vulnerability and update apache postfix
 and bind to the most current version?
 
 
 
 You normally need to run the sysinstall from the version you're
 updating to.  You could configure your system's sysinstall to load in
 the later version, and it should be compatible, but I don't know the
 syntax for that offhand...
   
 
 
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Security question

[Bryan Cassidy]

I don't know anything about using sysinstall for security
patches/upgrades etc. WHat your looking for I think is cvsup. Please
read the handbook on Using CVSUP to get the latests source updates,
security patches for your release and even updating to a different
RELEASE or -CURRENT or -STABLE.

On Wed, 19 Nov 2003 09:23:37 -0800
Kevin McKay [EMAIL PROTECTED] wrote:

 So it will not just grab the latest patched binaries for 5.1? I am not
 
 sure I understand. Is it just for updating between releases and not
 for keeping the current release up to date?
 
 Kevin
 
 Lowell Gilbert wrote:
 
 Kevin McKay [EMAIL PROTECTED] writes:
 
   
 
 I have read through the documentation but have not been able to find
 a definite answer. I am running a pretty core install of 5.1 minimal
 + bind9, postfix, apache, ssh, no ports collection. Here is my
 question. When I run the binary update from sysinstall will that
 take care of the earlier ssh vulnerability and update apache postfix
 and bind to the most current version?
 
 
 
 You normally need to run the sysinstall from the version you're
 updating to.  You could configure your system's sysinstall to load in
 the later version, and it should be compatible, but I don't know the
 syntax for that offhand...
   
 
 
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to
 [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Security question

[Kevin McKay]

Hello,

I have read through the documentation but have not been able to find a definite 
answer. I am running a pretty core install of 5.1 minimal + bind9, postfix, apache, 
ssh, no ports collection. Here is my question. When I run the binary update from 
sysinstall will that take care of the earlier ssh vulnerability and update apache 
postfix and bind to the most current version? 

Thanks
Kevin McKay
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Beginner Security Question

[Jon Cavalier]

hello,

after lots of research and configuration, i finally
have a freebsd box with a comfortable custom
interface, lots of multimedia bells and whistles, and
shortcuts to all of my most-used applications.

i'm still fumbling with text, in that i haven't found
a way to cut and paste from one terminal window to
another (i would welcome any suggestions as to how to
implement this, if it's even possible).  but for the
most part i can do everything i could do with my win
and mac machines before i started on this enlighting
bsd journey, quite reliably.

so now my question is, since i haven't really crossed
the next bridge which is to familiarize myself fully
with the security aspects of freebsd..

is this thing safe?

what i mean is, how does the security of a stock
freebsd 4.7 install and xfree86, using dhcp to access
the internet compare with say a stock windows or mac
computer?  i'd like to start enjoying mozilla, irc,
etc., but since i've used this machine for development
only, i'm curious how it stands up.  can i leave my
machine online while i go to work, without someone
easily popping in and planting a rootkit?  i'm already
aware of programs like tripwire, nessus, and nmap,
which came to me highly recommended, but i'm just not
there yet with the configuration.  i'm also behind a
basic $40 router firewall so i'm guessing that i
probably don't have much more to worry about than most
average pc users do (probably a lot LESS giving the
incessant patching i've had to do with my xp box).

i'd be grateful for any information or experiences you
can share.


thanks in advance,

j




__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: Beginner Security Question

[fbsd_user]

Using Mouse copy/paste function.
FBSD has an built in copy/paste function which is not enabled by
default. You will find it very useful when editing a file or any
time you want to copy  paste some message from your screen to a
file. There is no 'cut' function as we know it from  MS/windows.
Copy and paste functions in the virtual console assume that there
are three buttons on the mouse. The logical button 1 (logical left)
selects a region of text in the console and copies it to the paste
buffer. The logical button 3 (logical right) extends the selected
region. The logical button 2 (logical middle) pastes the selected
text at the text cursor position. If your mouse has only two
buttons, the middle, `paste' button is not available by default. To
obtain the paste function for an 2 button mouse, use the
moused_flags=  option of rc.conf with the -m 2=3 value to assign the
physical right button to the logical middle button. If you man
moused to read the manual documentation, you will see that they call
it cut/paste. That is an error in the man info, just think of it as
copy/paste.

moused_enable=YES
moused_port=/dev/psm0 # you may have different device
here, that's ok
moused_type=auto
moused_flags=-m 2=3   # config for 2 button mouse


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jon
Cavalier
Sent: Monday, November 17, 2003 7:42 PM
To: [EMAIL PROTECTED]
Subject: Beginner Security Question


hello,

after lots of research and configuration, i finally
have a freebsd box with a comfortable custom
interface, lots of multimedia bells and whistles, and
shortcuts to all of my most-used applications.

i'm still fumbling with text, in that i haven't found
a way to cut and paste from one terminal window to
another (i would welcome any suggestions as to how to
implement this, if it's even possible).  but for the
most part i can do everything i could do with my win
and mac machines before i started on this enlighting
bsd journey, quite reliably.

so now my question is, since i haven't really crossed
the next bridge which is to familiarize myself fully
with the security aspects of freebsd..

is this thing safe?

what i mean is, how does the security of a stock
freebsd 4.7 install and xfree86, using dhcp to access
the internet compare with say a stock windows or mac
computer?  i'd like to start enjoying mozilla, irc,
etc., but since i've used this machine for development
only, i'm curious how it stands up.  can i leave my
machine online while i go to work, without someone
easily popping in and planting a rootkit?  i'm already
aware of programs like tripwire, nessus, and nmap,
which came to me highly recommended, but i'm just not
there yet with the configuration.  i'm also behind a
basic $40 router firewall so i'm guessing that i
probably don't have much more to worry about than most
average pc users do (probably a lot LESS giving the
incessant patching i've had to do with my xp box).

i'd be grateful for any information or experiences you
can share.


thanks in advance,

j




__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Beginner Security Question

[Alex de Kruijff]

On Mon, Nov 17, 2003 at 04:42:20PM -0800, Jon Cavalier wrote:
 so now my question is, since i haven't really crossed
 the next bridge which is to familiarize myself fully
 with the security aspects of freebsd..
 
 is this thing safe?

Yes. You have to do three thing just like you have to do with windows.
1. Setup a firewall (FreeBSD has two options availible in the system for
this)
2. Update your system from time to time.
3. Don't have easy passwords.

 can i leave my machine online while i go to work, without someone
 easily popping in and planting a rootkit? 

I do.

-- 
Alex

Articles based on solutions that I use:
http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Security question (simple).

[Lewis Thompson]

Hi,

  I'm fairly new to network/machine security (but I know enough to write
some firewall rules, just the basics.  I guess I'm getting on for
novice, or something ;)

  I'm running two jails on my box, which has a dialup connection to the
'net.  It's all firewalled off and only certain things are available
from outside.  For incoming WWW I have some port-forwarding going on
(natd), which bounces it to the httpd running in the jail.  Am I right
in thinking if I am running some inherently insecure application there
is ABSOLUTELY NO WAY anybody can exploit it if it's not listening on the
dial-up interface?  I mean, without rooting the host system first.  Or,
if it's not, it's still pretty hard, right?

-lewiz.

-- 
I was so much older then, I'm younger than that now.  --Bob Dylan, 1964.

-| msn:[EMAIL PROTECTED] | jab:[EMAIL PROTECTED] | url:http://lewiz.net |-


pgp0.pgp
Description: PGP signature

Re: Security question (simple).

[lukek]

I wonder if the better policy is to not run inherently insecure applications
(Bto begin with. In theory if no-one can get to that box or make use of that
(Bapplication from the internet then your only threats become internal ones.
(B
(BJust for curiosity sake what does nmap tell you about your box/interface
(Bfrom an outside perspective ? Another great check is sockstat -4 which will
(Blist the services running and the IP/port number there running on.
(B
(BHTH
(B
(BLukeK
(B
(B- Original Message -
(BFrom: "Lewis Thompson" [EMAIL PROTECTED]
(BTo: "FreeBSD-questions" [EMAIL PROTECTED]
(BSent: 2003$BG/(B8$B7n(B23$BF|(B 9:08
(BSubject: Security question (simple).
(B
(B
(B___
(B[EMAIL PROTECTED] mailing list
(Bhttp://lists.freebsd.org/mailman/listinfo/freebsd-questions
(BTo unsubscribe, send any mail to "[EMAIL PROTECTED]"

procmail security question

[Dick Hoogendijk]

Maybe a silly question but still, security has to be as high as
possible, so, here it is:

I installed procmail and got the fbsd warning about the program running
with set user and group ID (root/mail) known as a security risk.
What about this message? Procmail has persmission 6755. Is it nessacery
for the prog to be world readable/executable? do I need to set things
different or do I see ghosts? :-))

-- 
dick -- http://www.nagual.st/ -- PGP/GnuPG key: F86289CE
++ Running FreeBSD 4.7 ++ Debian GNU/Linux (Woody)

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: procmail security question

[Andrew Prewett]

Today Dick Hoogendijk wrote:

 Maybe a silly question but still, security has to be as high as
 possible, so, here it is:

 I installed procmail and got the fbsd warning about the program running
 with set user and group ID (root/mail) known as a security risk.
 What about this message? Procmail has persmission 6755. Is it nessacery
 for the prog to be world readable/executable? do I need to set things
 different or do I see ghosts? :-))

 How do you use procmail? Do you use it with sendmail? Is procmail the local
delivery agent or invoked from the user ~/.forward* file? Is sendmail
setuid root or running as root (confRUN_AS_USER/RunAsUser)?

 So there is many open question. Drop the setuid/setgid bits, and see
what happens.

-andrew


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message