Re: [DNG] Security problem
Am 2019-10-14 01:01, schrieb tom: Why in gods name does a centralized instant messenger require root privileges on your machine? Signal uses the electron framework for running in a sandbox. Electron uses the Linux user namespaces feature for building the sandbox, but this seems to be disabled in most distros. So they are using a setuid helper as a workaround. See here: https://github.com/electron/electron/issues/17972 But I don't want to install setuid apps from untrusted sources. Jochen ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Hi Stefan, > > first of all, your machine seems to be the dns server, or you have > > static ips assigned? > > Yes, unbound DNS resolver is running on this machine. No static IPs. > You have a public dynamic IP, I assume. So you are in the domain: 'dynamic.kabel-deutschland.de' but by what I see, that domain is a /24 or not?? you: FQDN: ip5b418cfe.dynamic.kabel-deutschland.de IP: 91.65.138.120/24 Someone else: FQDN: ip5b418c91.dynamic.kabel-deutschland.de IP: 91.65.140.145 /24?? something strange, you have 2 diferent *public* networks in the same domain? Another things.. Are you trying to have 2 machines conected with a foreign dynamic dns service, ex: like 'https://www.noip.com/free' ? > $ sudo tcpdump > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on net0, link-type EN10MB (Ethernet), capture size 262144 > bytes > 09:25:00.272473 ARP, Request who-has > ip5b418c91.dynamic.kabel-deutschland.de tell > ip5b418cfe.dynamic.kabel-deutschland.de, length 46 > who is 'ip5b418c91.dynamic.kabel-deutschland.de' ?? its other machine of yours? do a : arping 91.65.140.145 check the mac address, compare with any one of yours.. > $ nslookup ip5b418c91.dynamic.kabel-deutschland.de > Address: 91.65.140.145 its a diferent network than yours but they have exactly the same domain..weird ?? what is the dns server that responds to that request? should be: '83.169.184.33' > AIUI I have a ARP cache with one entry for the standard gateway of my > ISP. See my original post. Is this normal or should there be more > entries? > any ip address of your network should be there( 192.168.19.2,192.168.19.3 ?? ), but if none contacted then its ok.. > Are you saying running a local DNS resolver daemon like unbound is a > security risk? And that the seemingly increased ARP traffic could be > a symptom of this machine being hacked? > No, I don't even know what is 'unbound'.. But if you are using a external service, depending of the type of external dynamic dns services, yes, I already was some 15 years ago, using 'https://www.noip.com/free', I already saw tons of cases like mine, out there( they don't offer you a dynamic dns service for free... free for them, means your information is selled in the black market...they need to make money.. no one offers free services.. ).. But doesn't mean you are the case here..( I don't even know what is the domain 'dynamic.kabel-deutschland.de'.. ) Your machine is acting as a DNS cache server for the network 192.168.19.0/24, for what it seems.. -- Best Regards, tux ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Security problem
On Mon, 30 Sep 2019 19:46:28 +0200 Gonzalo Pérez de Olaguer Córdoba wrote: > Hi, Jochen. > > El Mon, 30 Sep 2019 19:29:34 +0200 > "J. Fahrner via Dng" escribió: > > > I just came across a security problem. The application > > signal-desktop could not be started anymore because a file from the > > electron framework did not set a setuid bit > > (https://github.com/signalapp/Signal-Desktop/issues/3536). > > For the sandbox feature this obviously needs root privileges. > > It creeps me out when an application from an untrusted source > > installs programs with root privileges without me even noticing it. > > How can I protect myself against this? Is there a way to check > > Debian packages for a setuid bit set, e.g. in the post-install > > script? > > See the manpage for dpkg-statoverride(1) > and the file /val/lib/dpkg/statoverride > > Cheers. > Why in gods name does a centralized instant messenger require root privileges on your machine? ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
On 2019年10月13日 18:24:54 JST, "Dr. Nikolaus Klepp" wrote: >Anno domini 2019 Sun, 13 Oct 10:47:30 +0200 > Stefan Krusche scripsit: >> Am Sonntag, 13. Oktober 2019 schrieb Dr. Nikolaus Klepp: >> > There is some misunderstanding: The ARP package has nothing to do >> > with DNS. >> >> That's what I've been thinking and why I asked. >> >> > It basicly links MAC to IP - and you can do funny things >> > with it. >> >> Okay, I still can't seem to connect the dots… >> >> > tcpdump just makes the name resolution for you, use "tcpdump >> > -n" to go without it. e.g.: >> > >> > # tcpdump -n >> > 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell >192.168.1.1, >> > length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at >> > 00:1b:77:53:6c:43, length 28 >> >> Alright. What attracts my attention is, that here length is 28 just >> like the ARP message format is explained on the site you recommended >> where it is 46 on my machine: >> >> $ sudo tcpdump -n >> tcpdump: verbose output suppressed, use -v or -vv for full protocol >decode >> listening on net0, link-type EN10MB (Ethernet), capture size 262144 >bytes >> 10:34:53.070420 ARP, Request who-has 91.65.142.159 tell >91.65.142.254, length 46 >> 10:34:53.071792 ARP, Request who-has 90.187.99.84 tell 90.187.99.86, >length 46 >> >> Is this relevant in any way related to exaggerated ARP requests? > >My ARP come from wifi, you's is ethernet. 28 Bytes is the ARP packet >size, but it's padded for ethernet minmum frame: >https://www.quora.com/Why-are-46-byte-packets-used-in-Ethernet > >You can ask tcpdump to give you a hex dump of the packets and >investigate: ># tcpdump -nx > >11:24:25.760914 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, >length 28 > 0x: 0001 0800 0604 0001 c493 0007 4ca5 c0a8 > 0x0010: 0101 c0a8 01be >11:24:25.760962 ARP, Reply 192.168.1.190 is-at 00:1b:77:53:6c:43, >length 28 > 0x: 0001 0800 0604 0002 001b 7753 6c43 c0a8 > 0x0010: 01be c493 0007 4ca5 c0a8 0101 > > >> >> > arp cache should only have as many entries as ather mac adresses >are >> > active in your part of the lan. If you are alone on your router, >then >> > it's just you routers mac in the cache. >> >> This seems to be the case (see OP). >> >> Thank you, Nik. >> >> Stefan >> >> ___ >> Dng mailing list >> Dng@lists.dyne.org >> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng >> > > > >-- >Please do not email me anything that you are not comfortable also >sharing with the NSA, CIA ... >___ >Dng mailing list >Dng@lists.dyne.org >https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng Hi, if this is really outgoing arp request, maybe ur default route is not properly configured. Like u have no next-hop address, only an outgoing interface as a default route: ip route default dev en0 instead of ip route default via 91.sm.th.ing dev en0 In that case, ur host think every hosts is attached to it, and therefore arp for each host. I said if bc what u showed didn t seem coming from ur host. Can u verify that all the arp requests are from ur host? ie. the outgoing interface, en0 if i understood properly (the interface with a public ip address). hth___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Anno domini 2019 Sun, 13 Oct 10:47:30 +0200 Stefan Krusche scripsit: > Am Sonntag, 13. Oktober 2019 schrieb Dr. Nikolaus Klepp: > > There is some misunderstanding: The ARP package has nothing to do > > with DNS. > > That's what I've been thinking and why I asked. > > > It basicly links MAC to IP - and you can do funny things > > with it. > > Okay, I still can't seem to connect the dots… > > > tcpdump just makes the name resolution for you, use "tcpdump > > -n" to go without it. e.g.: > > > > # tcpdump -n > > 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, > > length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at > > 00:1b:77:53:6c:43, length 28 > > Alright. What attracts my attention is, that here length is 28 just > like the ARP message format is explained on the site you recommended > where it is 46 on my machine: > > $ sudo tcpdump -n > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on net0, link-type EN10MB (Ethernet), capture size 262144 bytes > 10:34:53.070420 ARP, Request who-has 91.65.142.159 tell 91.65.142.254, length > 46 > 10:34:53.071792 ARP, Request who-has 90.187.99.84 tell 90.187.99.86, length 46 > > Is this relevant in any way related to exaggerated ARP requests? My ARP come from wifi, you's is ethernet. 28 Bytes is the ARP packet size, but it's padded for ethernet minmum frame: https://www.quora.com/Why-are-46-byte-packets-used-in-Ethernet You can ask tcpdump to give you a hex dump of the packets and investigate: # tcpdump -nx 11:24:25.760914 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, length 28 0x: 0001 0800 0604 0001 c493 0007 4ca5 c0a8 0x0010: 0101 c0a8 01be 11:24:25.760962 ARP, Reply 192.168.1.190 is-at 00:1b:77:53:6c:43, length 28 0x: 0001 0800 0604 0002 001b 7753 6c43 c0a8 0x0010: 01be c493 0007 4ca5 c0a8 0101 > > > arp cache should only have as many entries as ather mac adresses are > > active in your part of the lan. If you are alone on your router, then > > it's just you routers mac in the cache. > > This seems to be the case (see OP). > > Thank you, Nik. > > Stefan > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Am Sonntag, 13. Oktober 2019 schrieb Dr. Nikolaus Klepp: > There is some misunderstanding: The ARP package has nothing to do > with DNS. That's what I've been thinking and why I asked. > It basicly links MAC to IP - and you can do funny things > with it. Okay, I still can't seem to connect the dots… > tcpdump just makes the name resolution for you, use "tcpdump > -n" to go without it. e.g.: > > # tcpdump -n > 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, > length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at > 00:1b:77:53:6c:43, length 28 Alright. What attracts my attention is, that here length is 28 just like the ARP message format is explained on the site you recommended where it is 46 on my machine: $ sudo tcpdump -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on net0, link-type EN10MB (Ethernet), capture size 262144 bytes 10:34:53.070420 ARP, Request who-has 91.65.142.159 tell 91.65.142.254, length 46 10:34:53.071792 ARP, Request who-has 90.187.99.84 tell 90.187.99.86, length 46 Is this relevant in any way related to exaggerated ARP requests? > arp cache should only have as many entries as ather mac adresses are > active in your part of the lan. If you are alone on your router, then > it's just you routers mac in the cache. This seems to be the case (see OP). Thank you, Nik. Stefan ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Anno domini 2019 Sun, 13 Oct 10:13:31 +0200 Stefan Krusche scripsit: > Hello Tux, > > thanks for your reply. > > "s@po" schrieb am 12.10.2019 20:10: > > > > Why would my machine send these requests? > > > > first of all, your machine seems to be the dns server, or you have > > static ips assigned? > > Yes, unbound DNS resolver is running on this machine. No static IPs. > > > # cat /etc/{hosts,resolv.conf,nsswitch.conf,network/interfaces} > > I have a huge /etc/hosts file for blocking purposes. There are a > handful lines for IPs to the LAN like this which are not in use, > i.e. I have no LAN, only a laptop rarely connected to this machine: > > $ head /etc/hosts > 127.0.0.1 localhost > 127.0.1.1 rubians > 192.168.19.1rubians > 192.168.19.2rubiana > 192.168.19.3rubiano > > $ cat /etc/resolv.conf > nameserver 127.0.0.1 # this is for unbound on localhost > nameserver 83.169.184.33 # ISP's name server > nameserver 83.169.184.97 # ISP's name server > > $ ifconfig -a > lan0: flags=4099 mtu 1500 > inet 192.168.19.1 netmask 255.255.255.0 broadcast > 192.168.19.255 > ether 00:21:85:02:91:b8 txqueuelen 1000 (Ethernet) > RX packets 0 bytes 0 (0.0 B) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 0 bytes 0 (0.0 B) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > net0: flags=4163 mtu 1500 > inet 91.65.138.120 netmask 255.255.255.0 broadcast > 91.65.138.255 > inet6 fe80::20e:2eff:fe09:19d2 prefixlen 64 scopeid 0x20 > ether 00:0e:2e:09:19:d2 txqueuelen 1000 (Ethernet) > RX packets 544261 bytes 36150630 (34.4 MiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 9509 bytes 923017 (901.3 KiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > > Then, find the processes that are running with open sockets.. > > Check which ones are running, and verify why.. > > # lsof -nP -i4tcp@{91.65.141.104,91.65.139.36,91.65.138.152} > > $ sudo tcpdump > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on net0, link-type EN10MB (Ethernet), capture size 262144 > bytes > 09:25:00.272473 ARP, Request who-has > ip5b418c91.dynamic.kabel-deutschland.de tell > ip5b418cfe.dynamic.kabel-deutschland.de, length 46 > > $ nslookup ip5b418c91.dynamic.kabel-deutschland.de > Address: 91.65.140.145 > > $ lsof -nP -i4tcp@91.65.140.145 > $ echo $? > 1 > > Well, I can't seem to catch one - maybe I am too slow because the > connections are to short-lived?! > > $ lsof -nP -i4tcp > COMMANDPIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME > unbound 2924 unbound6u IPv4 15462 0t0 TCP 127.0.0.1:53 > (LISTEN) > unbound 2924 unbound 10u IPv4 15466 0t0 TCP 127.0.0.1:53 > (LISTEN) > unbound 2924 unbound 12u IPv4 15468 0t0 TCP 127.0.0.1:8953 > (LISTEN) > tdeio_ima 3906 stekru8u IPv4 19808 0t0 TCP > 91.65.138.120:60214->130.133.4.100:143 (ESTABLISHED) > dictd 4888 dictd 37u IPv4 45627 0t0 TCP 127.0.0.1:2628 > (LISTEN) > > > If that is a desktop machine, you should have a dns server somewere > > in the network.. It could be that you have no arp cache, and it his > > requesting everytime.. > > AIUI I have a ARP cache with one entry for the standard gateway of my > ISP. See my original post. Is this normal or should there be more > entries? > > > Having dynamic dns services also doesn't help > > much to your security, since they are one of the major risks braking > > into computers.. And you seems to have configured some dynamic dns > > services.. > > Are you saying running a local DNS resolver daemon like unbound is a > security risk? And that the seemingly increased ARP traffic could be > a symptom of this machine being hacked? There is some misunderstanding: The ARP package has nothing to do with DNS. It basicly links MAC to IP - and you can do funny things with it. tcpdump just makes the name resolution for you, use "tcpdump -n" to go without it. e.g.: # tcpdump -n 10:28:14.675930 ARP, Request who-has 192.168.1.190 tell 192.168.1.1, length 28 10:28:14.675980 ARP, Reply 192.168.1.190 is-at 00:1b:77:53:6c:43, length 28 arp cache should only have as many entries as ather mac adresses are active in your part of the lan. If you are alone on your router, then it's just you routers mac in the cache. nik > > Kind regards, > Stefan > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > -- Please do not email me anything that you are not comfortable also sharing with the NSA, CIA ... ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Hello Tux, thanks for your reply. "s@po" schrieb am 12.10.2019 20:10: > > Why would my machine send these requests? > > first of all, your machine seems to be the dns server, or you have > static ips assigned? Yes, unbound DNS resolver is running on this machine. No static IPs. > # cat /etc/{hosts,resolv.conf,nsswitch.conf,network/interfaces} I have a huge /etc/hosts file for blocking purposes. There are a handful lines for IPs to the LAN like this which are not in use, i.e. I have no LAN, only a laptop rarely connected to this machine: $ head /etc/hosts 127.0.0.1 localhost 127.0.1.1 rubians 192.168.19.1rubians 192.168.19.2rubiana 192.168.19.3rubiano $ cat /etc/resolv.conf nameserver 127.0.0.1 # this is for unbound on localhost nameserver 83.169.184.33 # ISP's name server nameserver 83.169.184.97 # ISP's name server $ ifconfig -a lan0: flags=4099 mtu 1500 inet 192.168.19.1 netmask 255.255.255.0 broadcast 192.168.19.255 ether 00:21:85:02:91:b8 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 net0: flags=4163 mtu 1500 inet 91.65.138.120 netmask 255.255.255.0 broadcast 91.65.138.255 inet6 fe80::20e:2eff:fe09:19d2 prefixlen 64 scopeid 0x20 ether 00:0e:2e:09:19:d2 txqueuelen 1000 (Ethernet) RX packets 544261 bytes 36150630 (34.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9509 bytes 923017 (901.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > Then, find the processes that are running with open sockets.. > Check which ones are running, and verify why.. > # lsof -nP -i4tcp@{91.65.141.104,91.65.139.36,91.65.138.152} $ sudo tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on net0, link-type EN10MB (Ethernet), capture size 262144 bytes 09:25:00.272473 ARP, Request who-has ip5b418c91.dynamic.kabel-deutschland.de tell ip5b418cfe.dynamic.kabel-deutschland.de, length 46 $ nslookup ip5b418c91.dynamic.kabel-deutschland.de Address: 91.65.140.145 $ lsof -nP -i4tcp@91.65.140.145 $ echo $? 1 Well, I can't seem to catch one - maybe I am too slow because the connections are to short-lived?! $ lsof -nP -i4tcp COMMANDPIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME unbound 2924 unbound6u IPv4 15462 0t0 TCP 127.0.0.1:53 (LISTEN) unbound 2924 unbound 10u IPv4 15466 0t0 TCP 127.0.0.1:53 (LISTEN) unbound 2924 unbound 12u IPv4 15468 0t0 TCP 127.0.0.1:8953 (LISTEN) tdeio_ima 3906 stekru8u IPv4 19808 0t0 TCP 91.65.138.120:60214->130.133.4.100:143 (ESTABLISHED) dictd 4888 dictd 37u IPv4 45627 0t0 TCP 127.0.0.1:2628 (LISTEN) > If that is a desktop machine, you should have a dns server somewere > in the network.. It could be that you have no arp cache, and it his > requesting everytime.. AIUI I have a ARP cache with one entry for the standard gateway of my ISP. See my original post. Is this normal or should there be more entries? > Having dynamic dns services also doesn't help > much to your security, since they are one of the major risks braking > into computers.. And you seems to have configured some dynamic dns > services.. Are you saying running a local DNS resolver daemon like unbound is a security risk? And that the seemingly increased ARP traffic could be a symptom of this machine being hacked? Kind regards, Stefan ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] how to investigate constant outgoing ARP traffic - TX: ~7K/s
Am Samstag, 12. Oktober 2019 schrieb Dr. Nikolaus Klepp: > > Any hint much appreciated. > > Please see: > http://www.omnisecu.com/tcpip/address-resolution-protocol-arp.php And > search for "arp spooing", this will reveal more funny details :) Okay, this will take some time to understand… Thanks. Stefan ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng