SCIENTIFIC-LINUX-DEVEL Archives

February 2020

SCIENTIFIC-LINUX-DEVEL@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: hosts.deny
From:
Pat Riehecky <[log in to unmask]>
Reply To:
Pat Riehecky <[log in to unmask]>
Date:
Mon, 24 Feb 2020 08:09:46 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (88 lines) 
Thanks for taking the time to research, write, and send this to 
Scientific Linux!  The best way to get this included in a new version of 
Scientific Linux is to get the fix included further up stream.[1]  That 
way groups other than this one can benefit from your work on this 
issue.  From our side we try not to deviate very much from what our 
upstream provider is doing.  Our hope is that by following them closely 
we reduce the possible problems our users encounter.  But this can lead 
to some tension in the application of patches, particularly patches that 
fix problems.

One of the best ways we can give back to our upstream providers is fixes 
like this one.  I hope that you can open a bug with them so that 
everyone can benefit from this.  As a point of etiquette, they prefer 
not to have mention of SL on their bug tracker.  Our source, for any 
package they provide, is their source.  Any patches we apply are noted 
in the changelog with justifications and generally attributed to Connie, 
Troy, myself, or the Scientific Linux Development list.

Right now our commitment to improving SL, assisting upstream in fixes, 
and generally trying to give back to the linux community at large gives 
us pause before applying any patch for upstream packages which doesn't 
have an associated bugzilla number.  They've given us so much, we want 
to try and give back where we can and help encourage others to do so in 
the spirit of the open source movement.

Again, thank you for your efforts here!  Please feel free to continue to 
contribute regularly to [log in to unmask]



[1] http://bugzilla.redhat.com/


On 2/24/20 6:06 AM, tech wrote:
> As this is a "system component" feature,  I hope this is the right list
>
> Scientific Linux 7.7, with latest update.
>
> If there are more than 255 IP addresses associated with a service in 
> /etc/hosts.deny,  then when any service which calls tcp_wrappers is 
> invoked,  the process hangs, eventually taking 100%CPU.
> Any new request to tcp wrappers invokes another process which likewise 
> eventually reaches 100% CPU.   Effectively initiating an unintended  DoS
>
> I run exim as my MTA
>
> I run a script which looks for certain messages
>
>>     "no host name found for IP address"
>>     "rejected after DATA"
>>     "refused: too many connections"
>
> in the /var/log/exim/   mainlog, rejectlog and paniclogs
> which indicate invalid connections to the server, and then places the 
> Class C  IP address of these in hosts.deny, against exim
>
> extract below from hosts.deny
>
>> exim: 1.215.,103.141.,103.16.,103.20.,103.230.,103.233.\
>> ,103.69.,103.74.,103.76.,109.100.,109.224.\
>> ,109.61.,109.72.,112.78.,114.199.,115.75.\
>> ,117.103.,121.65.,122.228.,123.143.,125.138.\
>
> In the past two weeks, the number of "exim reject messages" has 
> increased such that the number of IP addresses  associated with exim 
> in hosts.deny reached  256, with the result,  as explained above,  
> that each connection to the email server started a new instance of 
> exim, which never completed,  and eventually grabbed 100% CPU.
>
> The logs are rotated every week and the list of IPs is refreshed.
>
> The prevalence of hacking is on the increase, so to get greater than 
> 255 instances in a week is not becoming uncommon.
>
> Could the code be updated to allow more than 255/256 instances.
> (255/256 are common computing numbers!!)
>
> Thank you
>
> Me

-- 
Pat Riehecky

Fermi National Accelerator Laboratory
www.fnal.gov
www.scientificlinux.org

ATOM RSS1 RSS2