From owner-freebsd-questions Mon May 14 0:54:24 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 61C5137B42C for ; Mon, 14 May 2001 00:54:17 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f4E7r0k40182; Mon, 14 May 2001 00:53:01 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "John Baxter" Cc: "Dan Mahoney, System Admin" , "Kris Kennaway" , Subject: RE: onitoring named Date: Mon, 14 May 2001 00:52:58 -0700 Message-ID: <009201c0dc4a$e4ace2c0$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <3AFF6511.E1A8B996@mmcable.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I happen to run (and no, I'm not going to tell you the IP number or what or where it is and no you can't discover it via querying my various published domains) a nameserver that is fairly busy and is running on ancient, archaic, holey bind code. Is it scheduled to be updated? Certainly. Have I gotten to it yet? No. Would I be that concerned if someone broke into the system _right now_? no, not particularly since there's nothing on that system that's valuable, and it happens to be one of several secondary DNS servers The point is, is that archaic, holey bind code has NOT "occassionally" died, with the regularity that Dan's has seemed to do. This nameserver is open to the public same as any other nameserver on the Internet and even since all the "chinese hacks" crap has been released I've been eagerly waiting to see it start going down or otherwise show evidence of lots of crack attacks - because this is what all the security facists have been telling the world. You might say that I'm keeping it running as a sort of a "canary in the coal mine", as bait to attract crackers. However, I have been very disappointed to note no real increase in trouble from this server. Sure every once in a few months it might go offline for no reason, but it was doing that long before any of these advisories came out. The conclusion I have drawn from this is that most of the stories of crashing nameservers do not, in fact, have anything to do with crack attacks, but rather with improper nameserver configuration, or bugs in the nameserver code itself. Sure, no doubt there has been a lot of nameservers cracked into, but I think that if you looked you would find a gigantic number - probably the majority still - of nameservers on the Internet are running archaic, holey code and I see no evidence that the Internet has melted down as a result. Before all the "chinese hacks" against bind were released, there were plenty of complaints out there by people saying their nameservers were crashing for no reason. These generally were answered on the appropriate mailing lists by rather dull and unexciting pointers like "look at this wrong setting you have or that wrong setting you have" and when people got those responses they buckled down to work and solved the problems. Today, the most commmon response I see to nameserver problems is "oh, your nameserver MUST have been hacked". This is an exciting, sexy answer that just about anyone can give. It requires no real understanding of DNS by either the giver or the receiver. I guess I'm just getting sick and tired of hearing it because my own experience is that most likely the problem is that the DNS server has, in fact, NOT been cracked, and that the problem is something more subtle. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of John Baxter >Sent: Sunday, May 13, 2001 9:55 PM >To: Ted Mittelstaedt >Cc: Dan Mahoney, System Admin; Kris Kennaway; questions@FreeBSD.ORG >Subject: Re: onitoring named > > >you should visit cert.org and search for 'lion worm'. >it is a chinese hack kit. > > > > >Ted Mittelstaedt wrote: >> >> You might check into the system ram that the named process is >> using for it's cache. You may be overflowing an internal table >> or so. What are your MAXUSERS set to in the kernel and do you >> have any other kernel variables defined? >> >> Ted Mittelstaedt tedm@toybox.placo.com >> Author of: The FreeBSD Corporate Networker's Guide >> Book website: http://www.freebsd-corp-net-guide.com >> >> >-----Original Message----- >> >From: owner-freebsd-questions@FreeBSD.ORG >> >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Dan Mahoney, >> >System Admin >> >Sent: Saturday, May 12, 2001 9:49 AM >> >To: Kris Kennaway >> >Cc: questions@FreeBSD.ORG >> >Subject: Re: onitoring named >> > >> > >> >On Fri, 11 May 2001, Kris Kennaway wrote: >> > >> >> On Sat, May 12, 2001 at 01:17:56AM -0400, Dan Mahoney, System >> >Admin wrote: >> >> > Hi all. I noticed recently that I've had a high occurence of >> >named dying >> >> > on various machines. What would I put in a crontab to restart >> >it only if >> >> > it's not running? I'm not sure how to format the if statement. >> > >> >Okay, on a freeBSD 3.2-Release server I found an implementation of NDC >> >that was written as a (buggy, but easily fixed) shell script. I have >> >installed this on my 4.2 boxen as "shndc", and run it from a >crontab every >> >20 minutes. >> > >> >My nameservers are both very secure dedicated machines that, other than >> >webmin (boss's requirement) run nothing but DNS service. Occasionally I >> >see them die on signal 11, more often with no explanation at all. These >> >are the latest version, running in the most secure fashion I >can get info >> >on. (chrooted as an unprivileged user, with quotas). Has >anyone else had >> >problems with named dying? >> > >> >-Dan >> > >> >> >> >> Aren't you at all worried WHY they're dying? I bet you're running >> >> older versions than 8.2.3-RELEASE and you're suffering the effects of >> >> (attempted, possibly successful) root penetration. >> >> >> >> Kris >> >> >> > >> >-- >> > >> >I am now a lesbian. I don't like men, but thank you for writing. >> > >> >-Reply to my response to a personal ad, May 30th, 1998. >> > >> > >> >--------Dan Mahoney-------- >> >Techie, Sysadmin, WebGeek >> >Gushi on efnet/undernet IRC >> >ICQ: 13735144 AIM: LarpGM >> >Web: http://prime.gushi.org >> >finger danm@prime.gushi.org >> >for pgp public key and tel# >> >--------------------------- >> > >> > >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe freebsd-questions" in the body of the message >> > >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message