On 19.2.2013 23:29, ninib...@worldd.org wrote:
 >
 >
 >
 >> On Tue, Feb 19, 2013 at 10:49:42AM -0700, ninib...@worldd.org
 > wrote:
 >
 >>> I used IPA from the CentOS 6 repositories and I am having an
 > issue I
 >
 >>> can't seem to solve. ?I installed a server and a client with
 > no
 >
 >>> issues, but upon Nessus scans of the server, port 464 kpasswd UDP
 > was
 >
 >>> flagged for a ping-pong DoS attack. ?With this information I
 > noticed
 >
 >>> kpasswd also listens on TCP 464 which I understand was used
 > for
 >
 >>> over-sized
 >
 >>> requests and other errors. ?I attempted to IPTABLES block UDP
 > for
 >
 >>> kerberos which resulted in kpasswd no longer functioning from
 > the
 >
 >>> client.
 >
 >>> ?Kerberos authentication defaults to TCP without issue, but no
 > matter
 >
 >>> what i cannot get the client to use TCP for kpasswd. ?Is there a
 > way
 >
 >>> to force kpasswd on the client to use TCP (i was under the
 > understanding
 >
 >>> that if UDP failed TCP would be attempted). ?I am running the
 > latest
 >
 >>> from the CentOS 6 repo's on both server and client. ?Thank
 > you!
 >
 >>
 >
 >> I just did a spot-check with udp port 464 set to REJECT on my
 > server,
 >
 >> with krb5-libs-1.9-33.el6_3.3. It looks like the client is getting
 > an
 >
 >> ECONNREFUSED after trying to use the UDP port, and then correctly
 >
 >> falling back and opening a TCP connection.
 >
 >>
 >
 >> Do you have more information about what exactly happens when it
 > fails?
 >
 >> What does 'kpasswd' log when it's run with KRB5_TRACE set to
 > /dev/stderr
 >
 >> in its environment? Is anything logged to /var/log/kadmind.log on
 > the
 >
 >> server when you run 'kpasswd' on the client? Can you try it while
 > using
 >
 >> 'tcpdump -s0 -w cap -i any "port 464"' to capture traffic
 > that's passed
 >
 >> between the two?
 >
 >>
 >
 >> Nalin
 >
 >>
 > �
 > /FACEPALM
 > So problem solved, I allowed all
 > the necessary ports via IPTABLES, but left the default REJECT rule in that
 > comes by default to handle blocking the UDP port for kpasswd. �The
 > default Reject rule in this case still answers with prohibited instead of
 > just a normal REJECT set for unreachable. �Problem solved.
 > �Thanks for pointing me somewhere =)
 >
Actually i'd like to take that back now, it works fine when running kpasswd,
but if user password is expired when SSH to client, during the reset it only
tried UDP same if issuing passwd command as well.


I would recommend to completely remove SRV records for kpasswd over UDP (in case you blocked kpasswd over UDP for all clients).

# ipa dnsrecord-del example.com _kpasswd._udp

This should prevent clients from even trying UDP.

Don't forget to DNS amplification attacks if you are paranoid :-)

--
Petr^2 Spacek

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to