Re: FreeBSD 2.2.5 Security problem

[doogie () ANET-STL COM (Jason Young)]

This is a feature. The information isn't lost unless the system dies
very badly between the incident and the time syslog decides to commit it
to disk. A quick glance at the source seems to indicate that it will
flush these results to the file at 30, 120, and then 600 second
intervals as long as those messages are repeating with nothing else
inbetween.

One reason for this is to avoid things like an attacker deliberately
causing useless information to be logged repetetively until the logging
partition is full, and then to be able to do whatever he or she wishes
without being observed.

I find it to be a good, useful feature. You may not. If it truly bothers
you, recompile a copy for yourself without this feature.

Jason Young
ANET Chief Network Engineer

> -----Original Message-----
> From: Missouri FreeNet Administration [mailto:measl () MFN ORG]
> Sent: Saturday, January 02, 1999 4:14 PM
> To: BUGTRAQ () netspace org
> Subject: FreeBSD 2.2.5 Security problem
>
>
> Greetings, how is everyone after the 30 day pig-out? ;-0
>
> We originally posted this problem to the FreeBSD GNATS system on
> December 20th, and still haven't heard so much as an acknowledgement
> of the report (GNATS#: i386/9141).  I figured with the holidays, they
> were all busy, and would [eventually] get to it, but today I checked
> and saw that several GNATS reports on either side of this one (some
> as recent as today) have been looked at, processed, and even closed!
> So...
>
> FreeBSD 2.2.5-R (other rev's not tested) fail to log
> penetration attempts
> on quiescent systems properly when using syslog (to any
> target).  Failed
> login attempts (*any* number of them) will not be reported
> until a user name
> which is *different* from the failed name is entered.  For
> example, I can
> attempt to penetrate the root password *all day long* without
> getting a
> syslog report, provided a name other than root is not
> entered.  The reson
> for this is that there is an attempt to de-verbosify syslog
> reporting in
> FBSD which accumulates a counter for events, and then reports
> a cumulative
> total.  In this attempt to save verbiage, they are tallying
> all the failed
> attempts, *rather* than *reporting* them!
>
> This is (obviously) not going to be an issue on a busy system, as
> *someone* other than the target account is likely to log in
> and flush the
> counter report, but on a selected system, such as a name server, this
> could be a devastating flaw...
>
>
> Yours,
> J.A. Terranson
> sysadmin () mfn org
>
> --
> If Governments really want us to behave like civilized human
> beings, they
> should give serious consideration towards setting a better example:
> Ruling by force, rather than consensus; the unrestrained
> application of
> unjust laws (which the victim-populations were never allowed
> input on in
> the first place); the State policy of justice only for the rich and
> elected; the intentional abuse and occassionally destruction of entire
> populations merely to distract an already apathetic and numb
> electorate...
> This type of demogoguery must surely wipe out the fascist
> United States
> as surely as it wiped out the fascist Union of Soviet
> Socialist Republics.
>
> The views expressed here are mine, and NOT those of my employers,
> associates, or others.  Besides, if it *were* the opinion of all of
> those people, I doubt there would be a problem to bitch about in the
> first place...
> --------------------------------------------------------------------