> On Tue, Feb 19, 2013 at 10:49:42AM -0700, ninib...@worldd.org
wrote:

>> I used IPA from the CentOS 6 repositories and I am having an
issue I

>> can't seem to solve. ?I installed a server and a client with
no

>> issues, but upon Nessus scans of the server, port 464 kpasswd UDP
was

>> flagged for a ping-pong DoS attack. ?With this information I
noticed

>> kpasswd also listens on TCP 464 which I understand was used
for

>> over-sized

>> requests and other errors. ?I attempted to IPTABLES block UDP
for

>> kerberos which resulted in kpasswd no longer functioning from
the

>> client.

>> ?Kerberos authentication defaults to TCP without issue, but no
matter

>> what i cannot get the client to use TCP for kpasswd. ?Is there a
way

>> to force kpasswd on the client to use TCP (i was under the
understanding

>> that if UDP failed TCP would be attempted). ?I am running the
latest

>> from the CentOS 6 repo's on both server and client. ?Thank
you!

>

> I just did a spot-check with udp port 464 set to REJECT on my
server,

> with krb5-libs-1.9-33.el6_3.3. It looks like the client is getting
an

> ECONNREFUSED after trying to use the UDP port, and then correctly

> falling back and opening a TCP connection.

>

> Do you have more information about what exactly happens when it
fails?

> What does 'kpasswd' log when it's run with KRB5_TRACE set to
/dev/stderr

> in its environment? Is anything logged to /var/log/kadmind.log on
the

> server when you run 'kpasswd' on the client? Can you try it while
using

> 'tcpdump -s0 -w cap -i any "port 464"' to capture traffic
that's passed

> between the two?

>

> Nalin

>
�
/FACEPALM
So problem solved, I allowed all
the necessary ports via IPTABLES, but left the default REJECT rule in that
comes by default to handle blocking the UDP port for kpasswd. �The
default Reject rule in this case still answers with prohibited instead of
just a normal REJECT set for unreachable. �Problem solved.
�Thanks for pointing me somewhere =)
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to