Re: CRIME

From: Seth Arnold (sarnold@private)
Date: Mon Apr 29 2002 - 11:53:08 PDT

  • Next message: Seth Arnold: "Re: CRIME Nigerian Email Scam"

    On Mon, Apr 29, 2002 at 10:02:06AM -0700, Steve Nichols wrote:
    > If this is not the correct board to post this to I apologize.
    
    I don't know, I'd be surprised .. I'm sure FreeBSD has a -users list.
    
    > We have a FreeBSD 4.3 server that keep rebooting.
    > I am using $FreeBSD: src/etc/syslog.conf,v 1.13.2.2 2001/02/26 09:26:11
    > phk Exp $
    
    When you report this crash to the FreeBSD groups, I'm sure the first
    thing they'll ask is if you've been able to recreate the crash on 4.4 or
    4.5, or -CURRENT. The next thing they'll ask is if you've kept up with
    all patches available for 4.3.
    
    > I try and log the crash, but have had no success.
    > I wrote a few ksh&perl scripts to do a ps ax every 30 seconds to see
    > what is running and what is killing the server.
    > I also have written a few scripts that output the server life and health
    > (similar to healthd) to a webpage.
    > 
    > There are no processes or daemons that are killing the server.
    > 
    > Anyone know of an extended logging feature that I can use in conjunction
    > with syslogd to log everything that is going on?
    
    Well, under Linux, one normally hooks up a serial console to log kernel
    messages to another machine, and then investigate why the crashes using
    the Oops output. I think FreeBSD has a kernel crashdump facility that
    can dump RAM to your swap devices for further investigation with the
    crash utility. Of course, that would probably be useful only if the
    kernel is at fault for the crash. If one of the running processes has
    decided to try to reboot or wedge the machine, the crashdump may not be
    so useful.
    
    > The server runs
    > DNS
    
    What version? BIND has had dozens of horrible security problems. Does it
    run as root or a different uid?
    
    > SENDMAIL
    
    What version? Sendmail has had dozens of horrible security problems. 
    
    > QPOPPER
    
    What version? In the last year, qpopper has had several security problems.
    
    > RADIUS
    
    What version? In the last few months, most radius products have had
    several security problems.
    
    > APACHE (both secure and non-secure)(http&https)
    
    What version? In the last few months, the ApacheSSL and mod-ssl plugins
    have had security problems. (Possibly mitigated by OpenSSL, I don't
    recall.)
    
    > SSH
    
    What version? In the last two years, OpenSSH and ssh.com ssh have had a
    dozen or so security problems.
    
    > FTPD
    
    What version? Updated when? Is it vulnerable to the glob problem?
    
    > MRTG
    
    One of the helper tools mrtg uses has had a security problem in the last
    year. Sorry, I recall fewer details on this one.
    
    > And a few custom cron jobs.
    
    Probably not as suspect as most of the above programs..
    
    Have you updated for the recent rash of zlib problems? I don't know if
    FreeBSD released fixes for 4.3 or not.
    
    http://www.freebsd.org/security/index.html
    
    
    Of course, there are non-security-problems reasons why machines reboot
    too. If you are running on x86 hardware, you can run memtest86,
    available from google ;), to see if your RAM is working well. Beware,
    memtest86 is slow, so don't run it during important hours on important
    machines unless you are out of ideas.
    
    If you can, configure your syslog on all applications to be verbose, and
    try to get the syslog info stored someplace safe .. serial console,
    printer, sent over the network to another host .. you might gain more
    insight into the state of your machine just before it crashes.
    
    
    I hope this helps.
    
    -- 
    http://www.wirex.com/
    
    
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:42:38 PDT