From owner-freebsd-hubs@FreeBSD.ORG Mon Feb 4 22:01:41 2013 Return-Path: Delivered-To: freebsd-hubs@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 3A236425; Mon, 4 Feb 2013 22:01:41 +0000 (UTC) (envelope-from marck@rinet.ru) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) by mx1.freebsd.org (Postfix) with ESMTP id A2D482DB; Mon, 4 Feb 2013 22:01:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by woozle.rinet.ru (8.14.5/8.14.5) with ESMTP id r14M1WXV083092; Tue, 5 Feb 2013 02:01:32 +0400 (MSK) (envelope-from marck@rinet.ru) Date: Tue, 5 Feb 2013 02:01:32 +0400 (MSK) From: Dmitry Morozovsky To: Alexandr Kovalenko Subject: Re: Full-Disclosure posting "FreeBSD 9.1 ftpd Remote Denial of Service" In-Reply-To: Message-ID: References: <510FE164.6070502@wenks.ch> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-NCC-RegID: ru.rinet X-OpenPGP-Key-ID: 6B691B03 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (woozle.rinet.ru [0.0.0.0]); Tue, 05 Feb 2013 02:01:32 +0400 (MSK) Cc: freebsd-hubs@freebsd.org, freebsd-security@freebsd.org, Fabian Wenk X-BeenThere: freebsd-hubs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "FreeBSD Distributions Hubs: mail sup ftp" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Feb 2013 22:01:41 -0000 On Mon, 4 Feb 2013, Alexandr Kovalenko wrote: > On Mon, Feb 4, 2013 at 6:27 PM, Fabian Wenk wrote: > > A few days ago there was the posting "FreeBSD 9.1 ftpd Remote Denial of > > Service" [1] on the Full-Disclosure mailing list. Is this a known issue to > > the FreeBSD community? > > > > [1] > > http://lists.grok.org.uk/pipermail/full-disclosure/2013-February/089583.html > > > > There are also many ftp.*.freebsd.org mirrors listed in the above mention > > posting, so I also put freebsd-hubs@ into the recipient list. This will > > probably help, that ftp mirror operators are alerted and can take any action > > if needed. > > I can confirm this is an issue on stable/9 r245742. Though I hardly > can call it DoS as normally ftp account is running with well-defined > ulimits and proper ftpd usage pattern does not generate much CPU > usage, so you can keep limits pretty much low, thus not being affected > by so-called "DoS". > > Nevertheless any ideas on how to fix our glob(3)? Not the global fix, but workaround (kinda) for current situation, via dadv: Add to your /etc/login.conf ftp:\ :priority=20:\ :cputime=5: :tc=default: and rebuild yout login.conf database via cap_mkdb /etc/login.conf Than, apply newly create class to anonymous ftp user: pw usermod ftp -L ftp This should not affect regular ftp consumer, as they are hardly comsume host' resources, but will stop malicious anonymous users from eating your CPU resources. -- Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------