Re: Is it time to block all Microsoft protocols in the core?
On Monday, Jan 27, 2003, at 14:04 Asia/Katmandu, Sean Donelan wrote: Its not just a Microsoft thing. SYSLOG opened the network port by default, and the user has to remember to disable it for only local logging. You're using mixed tense in these sentences, so I can't tell whether you think that syslog's network port is open by default on operating systems today. On FreeBSD, NetBSD, OpenBSD and Darwin/Mac OS X (the only xterms I happen to have open right now) this is not the case, and has not been for some time. I presume, perhaps naïvely, that other operating systems have done something similar. [...] DESCRIPTION syslogd reads and logs messages to the system console, log files, other machines and/or users as specified by its configuration file. The options are as follows: [...] -u Select the historical ``insecure'' mode, in which syslogd will accept input from the UDP port. Some software wants this, but you can be subjected to a variety of attacks over the network, including attackers remotely filling logs. [...] Joe
Re: Is it time to block all Microsoft protocols in the core?
Joe Abley wrote: You're using mixed tense in these sentences, so I can't tell whether you think that syslog's network port is open by default on operating systems today. On FreeBSD, NetBSD, OpenBSD and Darwin/Mac OS X (the only xterms I happen to have open right now) this is not the case, and has not been for some time. I presume, perhaps naïvely, that other operating systems have done something similar. Current versions of Linux appear to be safe. This is from the syslog package that ships with RedHat version 8 (sysklogd package version 1.4.1-10). NAME sysklogd - Linux system logging utilities. ... OPTIONS ... -rThis option will enable the facility to receive message from the network using an internet domain socket with the syslog service (see services(5)). The default is to not receive any messages from the network. This option is introduced in version 1.3 of the sysklogd package. Please note that the default behavior is the opposite of how older versions behave, so you might have to turn this on. The default RedHat installation does not turn on this option. Looking through RedHat's FTP server, their 4.2 distribution (the oldest on on their server) is at version 1.3-15, and therefore incorporates this feature. This release has a README dated 1997, and the sysklogd package on their server is dated December 1996. I would assume that other Linux distributions from the same era (1997 through the present) would also have sysklogd version 1.3 or later, and therefore have this feature. -- David
Re: Is it time to block all Microsoft protocols in the core?
On Wednesday, Jan 29, 2003, at 01:25 Asia/Katmandu, Joe Abley wrote: On FreeBSD, NetBSD, OpenBSD and Darwin/Mac OS X (the only xterms I happen to have open right now) this is not the case, and has not been for some time. I presume, perhaps naïvely, that other operating systems have done something similar. This is not right. Guess I was typing man in the wrong xterms. FreeBSD (4.x, 5.x) listens to the network by default (and can be persuaded not to with a -s flag). NetBSD (1.6) does the same. Darwin/Mac OS X and OpenBSD do not listen by default (and can be persuaded to listen with a -u flag). (Looks like Darwin ships with OpenBSD's syslogd). Various people mailed me and told me that Linux does not listen by default, presumably for commonly-packaged values of Linux. Joe
Re: Is it time to block all Microsoft protocols in the core?
In message [EMAIL PROTECTED], Barney Wolff writes: On Wed, Jan 29, 2003 at 03:50:34AM +0545, Joe Abley wrote: On Wednesday, Jan 29, 2003, at 01:25 Asia/Katmandu, Joe Abley wrote: On FreeBSD, NetBSD, OpenBSD and Darwin/Mac OS X (the only xterms I happen to have open right now) this is not the case, and has not been for some time. I presume, perhaps na?vely, that other operating systems have done something similar. This is not right. Guess I was typing man in the wrong xterms. FreeBSD (4.x, 5.x) listens to the network by default (and can be persuaded not to with a -s flag). NetBSD (1.6) does the same. You were right the first time, at least for FreeBSD. The -s flag is applied by default - see /etc/defaults/rc.conf . Not quite as idiot-proof as a compiled-in default, but way better than defaulting to listening. The same is true of NetBSD 1.6; look in the same place. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of Firewalls book)
Re: Is it time to block all Microsoft protocols in the core?
On Wednesday, Jan 29, 2003, at 04:56 Asia/Katmandu, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Barney Wolff writes: On Wed, Jan 29, 2003 at 03:50:34AM +0545, Joe Abley wrote: On Wednesday, Jan 29, 2003, at 01:25 Asia/Katmandu, Joe Abley wrote: On FreeBSD, NetBSD, OpenBSD and Darwin/Mac OS X (the only xterms I happen to have open right now) this is not the case, and has not been for some time. I presume, perhaps na?vely, that other operating systems have done something similar. This is not right. Guess I was typing man in the wrong xterms. FreeBSD (4.x, 5.x) listens to the network by default (and can be persuaded not to with a -s flag). NetBSD (1.6) does the same. You were right the first time, at least for FreeBSD. The -s flag is applied by default - see /etc/defaults/rc.conf . Not quite as idiot-proof as a compiled-in default, but way better than defaulting to listening. The same is true of NetBSD 1.6; look in the same place. Serves me right for contradicting myself.