Bugtraq mailing list archives
Re: FreeBSD 2.2.5 Security problem
From: doogie () ANET-STL COM (Jason Young)
Date: Sun, 3 Jan 1999 16:07:21 -0600
This is a feature. The information isn't lost unless the system dies very badly between the incident and the time syslog decides to commit it to disk. A quick glance at the source seems to indicate that it will flush these results to the file at 30, 120, and then 600 second intervals as long as those messages are repeating with nothing else inbetween. One reason for this is to avoid things like an attacker deliberately causing useless information to be logged repetetively until the logging partition is full, and then to be able to do whatever he or she wishes without being observed. I find it to be a good, useful feature. You may not. If it truly bothers you, recompile a copy for yourself without this feature. Jason Young ANET Chief Network Engineer
-----Original Message----- From: Missouri FreeNet Administration [mailto:measl () MFN ORG] Sent: Saturday, January 02, 1999 4:14 PM To: BUGTRAQ () netspace org Subject: FreeBSD 2.2.5 Security problem Greetings, how is everyone after the 30 day pig-out? ;-0 We originally posted this problem to the FreeBSD GNATS system on December 20th, and still haven't heard so much as an acknowledgement of the report (GNATS#: i386/9141). I figured with the holidays, they were all busy, and would [eventually] get to it, but today I checked and saw that several GNATS reports on either side of this one (some as recent as today) have been looked at, processed, and even closed! So... FreeBSD 2.2.5-R (other rev's not tested) fail to log penetration attempts on quiescent systems properly when using syslog (to any target). Failed login attempts (*any* number of them) will not be reported until a user name which is *different* from the failed name is entered. For example, I can attempt to penetrate the root password *all day long* without getting a syslog report, provided a name other than root is not entered. The reson for this is that there is an attempt to de-verbosify syslog reporting in FBSD which accumulates a counter for events, and then reports a cumulative total. In this attempt to save verbiage, they are tallying all the failed attempts, *rather* than *reporting* them! This is (obviously) not going to be an issue on a busy system, as *someone* other than the target account is likely to log in and flush the counter report, but on a selected system, such as a name server, this could be a devastating flaw... Yours, J.A. Terranson sysadmin () mfn org -- If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
Current thread:
- Re: FreeBSD 2.2.5 Security problem Jason Young (Jan 03)