Security

Defeated a DDoS attempt against www.FreeBSDChina.org

Apparantly there is some sort of DDoS attack against www.FreeBSDChina.org. What was that? Some internal information told me that it was an intended test against www.freebsdchina.org. We have found some defects in the original website design and that should be corrected soon.

I have plugged a workaround to defeat the DDoS attack, now the load average fall from 70 to 0.65.

Shall we patch a (possibly) non-exploitable heap overflow?

While I believe that proactive security practice is necessary for every consumers, the most conversave ones should argue that even a security update will possibly break compablity.

Now I am in trouble. With rsync 2.5.5 installed on a FreeBSD system, we know that it is possible to overflow its heap, however, shall we patch it, or just let it as-is because it is not exploitable on FreeBSD, unlike Linux’s silly brk(9) implementation?

NetBSD have pf(4) in its src repository now!

Finally, yes, itojun has imported pf(4) into NetBSD. Having pf(4) in base indicates that NetBSD’s recognition of pf(4) related work, and as security officer of NetBSD, itojun-san’s import have some special meanings.

beastie.frontfree.net under SYNFLOOD attack!

I have watched spurious SYN messages and apparantly this has affected beastie.frontfree.net’s networking subsystem, namely, its mail system. The attack is from 203.81.27.11.

Whois indicates 203.81.27.11 is:

beastie.frontfree.net should protect itself!

I have added some SYNFLOOD proof packet filter rules for beastie.frontfree.net. Interestingly, the filter options seems to “forge” beastie.frontfree.net to be an OpenBSD box.

Nothing can claim itself secure!

Let’s review what I have did years ago. I say, nothing can claim itself secure! Nothing, nothing, nothing!!

A firewall to cut all useful connection, good job

Not sure how did the corporation has designed the firewall system, it is simply - bogous and useless, and is fragile by design. All the design’s function is to keep the network out of being functional, not to make it a bit safer.

OpenBSD's inetd saga

FreeBSD and OpenBSD’s inetd are based on a same codebase. However, they have different features and OpenBSD have some features that FreeBSD is lacking at present. For example, per-interface binding, etc.

Apache又来了安全公告。。。

刚刚想睡觉的时候收到了commit mail:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

clement     2004/05/28 08:27:02 PDT

  FreeBSD ports repository
  Modified files:
    www/apache2          Makefile 
  Added files:
    www/apache2/files    patch-modules:ssl:ssl_engine_kernel.c 
  Log:
  - Import security fix from Apache CVS...
  * modules/ssl/ssl_engine_kernel.c (ssl_hook_UserCheck): Fix buffer
  overflow in FakeBasicAuth code if client's subject DN exceeds 6K in
  length (CVE CAN-2004-0488); switch to using apr-util base64 encoder
  functions.
  - ... and of course bump PORTREVISION.
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488
  http://secunia.com/advisories/11534/
  
  Reported by:    Charles-Damien Orbello <tazma@cultdeadsheep.org>
  
  Revision  Changes    Path
  1.178     +1 -0      ports/www/apache2/Makefile
  1.1       +39 -0     ports/www/apache2/files/patch-modules:ssl:ssl_engine_kernel.c (new)

Call for help: Need a mail relay to route my mail to FreeBSD.org and other domains that need reverse resolvable IP address

I am looking for someone to provide me a mail relay. Please contact me if you have a mail server and it has a *reverse resolvable* IP address, and you are interested in helping me out to resolve this issue.

• ← 上一页
• 下一页 →