TaoSecurity Blog

After reading PC-BSD 8.2-BETA1 Available for Testing last week I decided to give the latest version of PC-BSD a try on my ESXi server. I failed earlier to get the installation to succeed using PC-BSD 8.1, but I had no real issues with the new BETA1 based on FreeBSD 8.2 PRERELEASE. (PC-BSD will publish their final 8.2 version when the main FreeBSD project publishes 8.2 RELEASE.) For this test I downloaded the 64 bit network installation .iso and installed the OS within ESXi. I decided to try a few new features offered by the PC-BSD installer, namely ZFS and disk encryption for user data as shown in the top screenshot. When I booted the VM I was prompted to enter the passphrase I used when installing the OS: da0 at mpt0 bus 0 scbus0 target 0 lun 0 da0: Fixed Direct Access SCSI-2 device da0: 320.000MB/s transfers (160.000MHz, offset 127, 16bit) da0: Command Queueing enabled da0: 16384MB (33554432 512 byte sectors: 255H 63S/T 2088C) Enter passphrase for da0p4: GEOM_ELI: Device da0p4....

Reece Tarbert sent an email announcing the availability of VirtualBSD 8.1 , a version of FreeBSD 8.1 aimed at demonstrating FreeBSD on the desktop. It's a 1.3 GB zipped VMWare image that expands to 4.1 GB. I downloaded the image via Bittorrent, expanded the image, and then used the VMWare Converter to transfer the VM from my laptop to my ESXi server. I accepted all the defaults and successfully converted the VM. However, after booting the VM I noticed the kernel did not recognize the network card. I shut down the VM, removed the NIC, and added a new e1000 NIC. After booting that version the VM recognized the NIC and got an IP address via DHCP from my Cisco 3750 switch. One of my definitions of "desktop ready" is whether I can see YouTube videos out-of-the-box. As the screen capture shows, VirtualBSD worked without incident. If you're wondering about PC-BSD, I plan to give version 8.2 a try soon. As I Tweeted last month, I had trouble with the installer and cou...

Two years ago I posted Splunk on FreeBSD 7.0 showing how to use the FreeBSD compat6x libraries to run the 3.4 version of Splunk compiled for FreeBSD 6.x. I decided to try this again, except using the newest Splunk on an amd64 FreeBSD system. As you can see below, it took me only a few minutes to get the system running thanks to the precompiled compat6x-amd64 package. If I needed to install on i386, I could have used the ports tree. r200a# uname -a FreeBSD r200a.taosecurity.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 r200a# pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable /misc/compat6x-amd64-6.4.604000.200810_3.tbz Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-stable /misc/compat6x-amd64-6.4.604000.200810_3.tbz... Done. ******************************************************************************* * ...

In my last post I lamented a problem with Sendmail on FreeBSD. I was trying to troubleshoot a problem sending email from FreeBSD's periodic scripts to Gmail. I've determined that, as crazy as this sounds, Gmail is broken. (Some of you are probably not surprised. If you want to skip the drama and see the bottom line, scroll to the bottom of the post.) Let me start my case by showing network transcripts of one successful "periodic" email and one unsuccessful "periodic" email. I'm not going to change any email addresses in this post. The following email is delivered successfully . Computer vm.taosecurity.com sits behind NAT so the public IP is 73.128.35.11. The entries prior to the SMTP transactions (e.g. 074.125.091.027.00025-073.128.035.011.57184: and similar) were added by Tcpflow, which I used to render the transcript manually. 074.125.091.027.00025-073.128.035.011.57184: 220 mx.google.com ESMTP my6si2476635qcb.101 073.128.035.011.57184-074.125.0...

Thanks for the help with my script issue recently. I was wondering if anyone has seen this problem with Sendmail? I aliased root to "taosecurity at gmail dot com" as shown below. (I used the real email address on the computer.) This is a fresh install of FreeBSD 8.1. $ uname -a FreeBSD vm.taosecurity.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: \ Mon Jul 19 02:55:53 UTC 2010 \ root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 vm# diff -u /etc/aliases /etc/aliases.orig --- /etc/aliases 2010-11-18 10:30:37.000000000 -0500 +++ /etc/aliases.orig 2010-11-18 10:30:26.000000000 -0500 @@ -18,7 +18,6 @@ # root's email from here. # root: me@my.domain -root: taosecurity at gmail dot com # Basic system aliases -- these MUST be present MAILER-DAEMON: postmaster vm# newaliases /etc/mail/aliases: 28 aliases, longest 21 bytes, 300 bytes total My /etc/mail and /var/spool directories are pristine from the factory" vm# ls -al /etc/mail total 300 drwxr-xr-x 2 ro...

Has anyone encountered this situation? I've found several startup scripts on FreeBSD that result in duplicate arguments passed during startup. For example: vm# uname -a FreeBSD vm.taosecurity.com 7.3-RELEASE FreeBSD 7.3-RELEASE #0: Sun Mar 21 06:15:01 UTC 2010 root@walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 vm# pkg_info sancp-1.6.1_3 A network connection profiler vm# cat /etc/rc.conf # -- sysinstall generated deltas -- # Fri Nov 12 16:36:42 2010 # Created: Fri Nov 12 16:36:42 2010 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter="10.10.1.1" hostname="vm.taosecurity.com" ifconfig_em0="inet 10.10.1.13 netmask 255.255.255.0" sshd_enable="YES" sancp_enable="YES" sancp_interface="em0" vm# cat /usr/local/etc/rc.d/sancp #!/bin/sh # # PROVIDE: sancp # ...

Registration for NYCBSDCon 2010 is now open. As usual George and friends have assembled a great schedule ! If you're in the New York city area or within travel distance, check it out. Tweet

The March 2010 BSD Magazine includes an article I wrote titled Keeping FreeBSD Applications Up-to-Date . It's a sequel to my article in the January 2010 BSD Magazine titled Keeping FreeBSD Up-to-Date: OS Essentials . With these two articles published, they replace the versions I wrote in 2005. I wrote these articles to demonstrate the variety of ways a system administrator can keep the FreeBSD operating system and applications up-to-date, with examples showing commands and effects.

Keep your eyes open for the latest printed BSD Magazine , with my article Keeping FreeBSD Up-To-Date: OS Essentials . This article is something like 18 pages long, because at the last minute the publishers had several authors withdraw articles. The publishers decided to print the extended version of my article, so it's far longer than I expected! We're currently editing the companion piece on keeping FreeBSD applications up-to-date. I expect to also submit an article on running Sguil on FreeBSD 8.0 when I get a chance to test the latest version in my lab.

My main personal workstation is a Thinkpad x60s . As I wrote in Triple-Boot Thinkpad x60s , I have Windows XP, Ubuntu Linux, and FreeBSD installed. However, I rarely use the FreeBSD side. I haven't run FreeBSD on the desktop for several years, but I like to keep FreeBSD on the laptop in case I encounter a situation on the road where I know how to solve a problem with FreeBSD but not Windows or Linux. (Yes I know about [insert favorite VM product here]. I use them. Sometimes there is no substitute for a bare-metal OS.) When I first installed FreeBSD on the x60s (named "neely" here), the wireless NIC, an Intel(R) PRO/Wireless 3945ABG, was not supported on FreeBSD 6.2. So, I used a wireless bridge. That's how the situation stayed until I recently read M.C. Widerkrantz's FreeBSD 7.2 on the Lenovo Thinkpad X60s . It looked easy enough to get the wireless NIC running now that it was supported by the wpi driver. I had used freebsd-update to upgrade the 6.2 to ...

With the announcement of FreeBSD 8.0 , it seems like a good time to donate to the FreeBSD Foundation , a US 501(c)3 charity. The Foundation funds and manages projects, sponsors FreeBSD events, Developer Summits and provides travel grants to FreeBSD developers. It also provides and helps maintain computers and equipment that support FreeBSD development and improvements. I just donated $100. Will anyone match me? Thank you!

The 6th issue of BSD Magazine is available now. This edition has several great articles. I liked Jan Stedehouder's article on Triple booting Windows 7, Ubuntu 9.04 and PC-BSD 7.1 , Christian Brueffer's article on FreeBSD Security Event Auditing , and the Questions and Answer Session of the BSD Certification Group Community with Dru Lavigne and Mikel King. I've been working with the editor at BSD Magazine to publish my articles on keeping FreeBSD up-to-date, so I expect to see them in print within the next few months.

The purpose of this post is not to bash Microsoft, but I am going to point out why I prefer relying on open source platforms, especially for sensitive systems. One of the advantages of the open source model is that anyone can identify and evaluate changes. This is especially true of open source projects like FreeBSD . Let's look at a recent security advisory in ntpd to demonstrate what I mean. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:11.ntpd Security Advisory The FreeBSD Project Topic: ntpd stack-based buffer-overflow vulnerability Category: contrib Module: ntpd Announced: 2009-06-10 Credits: Chris Ries Affects: All supported versions of FreeBSD. Corrected: 2009-06-10 10:31:11 UTC (RELENG_7, 7.2-STABLE) 2009-06-10 10:31:11 UT...

This is a follow-up to my recent post Draft Version of New Keeping FreeBSD Up-To-Date . I updated the draft Keeping FreeBSD Up-To-Date document at http://www.taosecurity.com/kfbutd7.pdf to include new sections on building a kernel and userland on one system and installing on another, and upgrading from one major version of FreeBSD to another via binary upgrades (e.g., 7.1 to 8.0 BETA3, since that just became available). I have also published another draft document titled Keeping FreeBSD Applications Up-To-Date at http://www.taosecurity.com/kfbautd7.pdf . That is a follow-up to my 2004 article of the same name that use FreeBSD 5.x for the examples. The new document includes the following. Sections: --------- Introduction FreeBSD Handbook A Common Linux Experience Simple Package Installation on FreeBSD Checking for Vulnerable Packages with Portaudit FreeBSD Package Repositories Updating Packages by Deletion and Addition Introducing the FreeBSD Ports Tree Updatng the FreeBSD Ports Tr...

Four years ago I wrote an article titled Keeping FreeBSD Up-To-Date. The goal was to document various ways that a FreeBSD 5.2 system could be updated and upgraded using tools from that time, in an example-drive way that complemented the FreeBSD Handbook . I decided to write an updated version that starts with a FreeBSD 7.1 RELEASE system and ends by running FreeBSD 7.2-STABLE. Sections include: Sections: --------- Introduction FreeBSD Handbook The Short Answer Understanding FreeBSD Versions Learning About Security Issues Starting with the Installation Installing Gnupg and Importing Keys Installing Source Code Installing CVSup Applying Kernel Patches Manually Applying Userland Patches Manually Using CVSup to Apply Patches Using Csup to Apply Patches FreeBSD Update to Upgrade FreeBSD within Versions STABLE: The End of the Line for a Single Version What Comes Next? Conclusion Looking at the sections, I noted that it might be good to add a section on using FreeBSD Update to upgrade to 8....

If you've used CVS before, you know that CVS doesn't play well with HTTP proxies. I was looking for a way to run cvsup on FreeBSD behind a proxy when I found a post on the FreeBSD China mailing list. It described using Proxychains with Desproxy to tunnel CVS over a SOCKS proxy through HTTP. Here's how I followed the instructions in my lab environment. First I installed Proxychains from the FreeBSD port. You can see my HTTP proxy is 172.16.2.1 port 3128. freebsd7# setenv HTTP_PROXY http://172.16.2.1:3128 freebsd7# pkg_add -vr proxychains ...edited... extract: Package name is proxychains-3.1 extract: CWD to /usr/local extract: /usr/local/bin/proxychains extract: /usr/local/bin/proxyresolv extract: /usr/local/etc/proxychains.conf extract: /usr/local/lib/libproxychains.so.3 extract: /usr/local/lib/libproxychains.so extract: /usr/local/lib/libproxychains.la extract: /usr/local/lib/libproxychains.a extract: execute '/sbin/ldconfig -m /usr/local/lib' extract: CWD to ...

Karolina at BSD Magazine wanted me to let you know that she has posted three free .pdf issues online. The three cover FreeBSD, OpenBSD, and NetBSD. Apparently BSD Magazine has survived a publishing scare and will continue for the foreseeable future. I may also have an article for FreeBSD out soon.

Several IP-enabled devices in the lab use TFTP to retrieve configuration files from various locations on the Internet. This pains me. You can probably imagine what these devices are. Unfortunately I don't control how these devices work. I run Sguil at my lab gateway to the Internet. I watch traffic right before the gateway, before it is NAT'd. I really don't care what's on the other side. I mostly care what is leaving the network, so I concentrate my NSM activities there. I noticed one of these TFTP-enabled devices trying to retrieve a file repeatedly. I looked closer at the traffic (thanks to Sguil I keep a record of traffic leaving for the Internet) and noticed I never saw any replies. Simultaneously I received an email from tech support for this device. They told me to unplug all Internet devices from my cable modem and plug the troublesome device into the cable modem overnight (!) My answer to that: "heck no." I decided to run an experiment with...

Want to try FreeBSD 7.1 in a comfortable, graphical desktop, via a VMWare VM? If your answer is yes, visit www.virtualbsd.info and download their 1.5 GB VM. I tried it last night and got it working with VMware 1.0.8 by making the following adjustments: Edit VirtualBSD.vmx to say #virtualHW.version = "6" virtualHW.version = "4" and VirtualBSD.vmdk to say #ddb.virtualHWVersion = "6" ddb.virtualHWVersion = "4" and you will be able to use the VM on VMware Server 1.0.8. Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for the best rates.

It's been a while since I've looked at the Sguil ports for FreeBSD, so I decided to see how they work. In this post I will talk about installing a Sguil sensor and server on a single FreeBSD 7.1 test VM using packages shipped with FreeBSD 7.1. To start with the system had no packages installed. After running pkg_add -vr sguil-sensor, I watched what was added to the system. I'm only going to document that which I found interesting. The sguil-sensor-0.7.0_2 package installed the following into /usr/local. x bin/sguil-sensor/log_packets.sh x bin/sguil-sensor/example_agent.tcl x bin/sguil-sensor/pcap_agent.tcl x bin/sguil-sensor/snort_agent.tcl x etc/sguil-sensor/example_agent.conf-sample x etc/sguil-sensor/pcap_agent.conf-sample x etc/sguil-sensor/snort_agent.conf-sample x etc/sguil-sensor/log_packets.conf-sample x share/doc/sguil-sensor x etc/rc.d/example_agent x etc/rc.d/pcap_agent x etc/rc.d/snort_agent Note that you have to copy pcap_agent.conf-sample log_packets.conf-...