Date: Tue, 5 Feb 2013 02:01:32 +0400 (MSK) From: Dmitry Morozovsky <marck@rinet.ru> To: Alexandr Kovalenko <never@nevermind.kiev.ua> Cc: freebsd-hubs@freebsd.org, freebsd-security@freebsd.org, Fabian Wenk <fabian@wenks.ch> Subject: Re: Full-Disclosure posting "FreeBSD 9.1 ftpd Remote Denial of Service" Message-ID: <alpine.BSF.2.00.1302050158130.36839@woozle.rinet.ru> In-Reply-To: <CAJ2Kz1A-Q_if9ZSjA8DV85jLYWRE99jA-765=3AOkm%2Bbt6SOPg@mail.gmail.com> References: <510FE164.6070502@wenks.ch> <CAJ2Kz1A-Q_if9ZSjA8DV85jLYWRE99jA-765=3AOkm%2Bbt6SOPg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 4 Feb 2013, Alexandr Kovalenko wrote: > On Mon, Feb 4, 2013 at 6:27 PM, Fabian Wenk <fabian@wenks.ch> wrote: > > A few days ago there was the posting "FreeBSD 9.1 ftpd Remote Denial of > > Service" [1] on the Full-Disclosure mailing list. Is this a known issue to > > the FreeBSD community? > > > > [1] > > http://lists.grok.org.uk/pipermail/full-disclosure/2013-February/089583.html > > > > There are also many ftp.*.freebsd.org mirrors listed in the above mention > > posting, so I also put freebsd-hubs@ into the recipient list. This will > > probably help, that ftp mirror operators are alerted and can take any action > > if needed. > > I can confirm this is an issue on stable/9 r245742. Though I hardly > can call it DoS as normally ftp account is running with well-defined > ulimits and proper ftpd usage pattern does not generate much CPU > usage, so you can keep limits pretty much low, thus not being affected > by so-called "DoS". > > Nevertheless any ideas on how to fix our glob(3)? Not the global fix, but workaround (kinda) for current situation, via dadv: Add to your /etc/login.conf ftp:\ :priority=20:\ :cputime=5: :tc=default: and rebuild yout login.conf database via cap_mkdb /etc/login.conf Than, apply newly create class to anonymous ftp user: pw usermod ftp -L ftp This should not affect regular ftp consumer, as they are hardly comsume host' resources, but will stop malicious anonymous users from eating your CPU resources. -- Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1302050158130.36839>