Full-Disclosure posting "FreeBSD 9.1 ftpd Remote Denial of Service"
Dmitry Morozovsky
marck at rinet.ru
Mon Feb 4 22:01:41 UTC 2013
On Mon, 4 Feb 2013, Alexandr Kovalenko wrote:
> On Mon, Feb 4, 2013 at 6:27 PM, Fabian Wenk <fabian at wenks.ch> wrote:
> > A few days ago there was the posting "FreeBSD 9.1 ftpd Remote Denial of
> > Service" [1] on the Full-Disclosure mailing list. Is this a known issue to
> > the FreeBSD community?
> >
> > [1]
> > http://lists.grok.org.uk/pipermail/full-disclosure/2013-February/089583.html
> >
> > There are also many ftp.*.freebsd.org mirrors listed in the above mention
> > posting, so I also put freebsd-hubs@ into the recipient list. This will
> > probably help, that ftp mirror operators are alerted and can take any action
> > if needed.
>
> I can confirm this is an issue on stable/9 r245742. Though I hardly
> can call it DoS as normally ftp account is running with well-defined
> ulimits and proper ftpd usage pattern does not generate much CPU
> usage, so you can keep limits pretty much low, thus not being affected
> by so-called "DoS".
>
> Nevertheless any ideas on how to fix our glob(3)?
Not the global fix, but workaround (kinda) for current situation, via dadv:
Add to your /etc/login.conf
ftp:\
:priority=20:\
:cputime=5:
:tc=default:
and rebuild yout login.conf database via
cap_mkdb /etc/login.conf
Than, apply newly create class to anonymous ftp user:
pw usermod ftp -L ftp
This should not affect regular ftp consumer, as they are hardly comsume host'
resources, but will stop malicious anonymous users from eating your
CPU resources.
--
Sincerely,
D.Marck [DM5020, MCK-RIPE, DM3-RIPN]
[ FreeBSD committer: marck at FreeBSD.org ]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck at rinet.ru ***
------------------------------------------------------------------------
More information about the freebsd-hubs
mailing list