delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2023/01/22/14:25:40

X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A3ED83858D3C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
s=default; t=1674415493;
bh=zRC+8J5xPyUHsbp2An1mBh0feRIG6DCc/TFwCuEzhaI=;
h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
From;
b=oCJ0Y5z7Fg1AmQ4GhQH+HrU4Xt9oNa3XfTR/SRyqav/D3fMD3f/v1NUo2Pk5YZ/ws
6uzBHC61wWfArHJcfSflN/Qt5zeKy018X4CYFXrHQ/pBWG0LWxzpcVSWC70eTx80d9
fABJ5hrvc9X6tb7syl91xAf3NeM3CYpvg2xDp5ck=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E52AB3858D32
X-Authority-Analysis: v=2.4 cv=XZqaca15 c=1 sm=1 tr=0 ts=63cd8d75
a=oHm12aVswOWz6TMtn9zYKg==:117 a=oHm12aVswOWz6TMtn9zYKg==:17
a=IkcTkHD0fZMA:10 a=w_pzkKWiAAAA:8 a=pwQImH5TsvjknzEehgIA:9 a=QEXdDO2ut3YA:10
a=1GC6jfdrRcYA:10 a=tMEb2zx2yS8A:10 a=daI9ojH3vpgA:10 a=rFA1MAFG28cA:10
a=sRI3_1zDfAgwuvI8zelB:22
Message-ID: <4cf463fc-38a2-0dd2-7bea-c7293abbd754@Shaw.ca>
Date: Sun, 22 Jan 2023 12:24:36 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.6.1
Subject: Re: observation: masses of requests to LDAP
To: cygwin AT cygwin DOT com
References: <ae73845c-b970-37ab-f429-65b15cf8540c AT tu-dortmund DOT de>
Organization: Inglis
In-Reply-To: <ae73845c-b970-37ab-f429-65b15cf8540c@tu-dortmund.de>
X-CMAE-Envelope: MS4xfDEFbYy0FylZTkxTTtYTfzgt98cCLcZuOptqof/tRmlYE5UgPGkExVJ5bj/Fhr5IB7c89ofCGFvzx3hthupBdmhK/5XrVGAt4/upNgjssaFHJTB2zL5m
xj+utU5O4+7rhrsjJsyXr+DSWPYqElLkpi4vVKxfokRN/j/maW3NnkgFywGJPY9yMV9xIyMopjZhyV9Lv3073xsbLy1O9mesm/0j795mqkaiprhYirT9OXmU
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00, DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, NICE_REPLY_A, SPF_HELO_NONE,
SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.29
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Brian Inglis <Brian DOT Inglis AT Shaw DOT ca>,
Tobias Wendorff <tobias DOT wendorff AT tu-dortmund DOT de>
Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 30MJPITq022836 

On 2023-01-22 07:32, Tobias Wendorff via Cygwin wrote:
> our IT department has informed me that masses of requests are being sent from my 
> computer to our two LDAP servers on port 389. After a detailed investigation, 
> the problem could be clearly traced back to "cygwin".

That is required for Cygwin to emulate POSIX permissions and ACLs: see security 
and domain info in:

/usr/share/doc/cygwin-doc/html/cygwin-ug-net/cygwin-ug-net.html
/usr/share/doc/cygwin-doc/cygwin-ug-net.pdf

or the equivalant online docs:

https://cygwin.com/cygwin-ug-net.html
https://cygwin.com/cygwin-ug-net/cygwin-ug-net.html
https://cygwin.com/cygwin-ug-net/cygwin-ug-net.pdf
https://cygwin.com/faq.html

Your IT folks could contact peers at Aachen, Bochum, Dresden, Esslingen, FAU who 
provide Cygwin mirrors, probably use it in courses, and have experience with it; 
see:
	https://cygwin.com/mirrors.html

> Firewall logs show that about any tool, even base tools "sort" or "less", 
> initiates a request to port 389 on our LDAP servers.

Each process needs access to your credentials, groups, and memberships, and 
pulls them for domain accounts on domain members.

> Sorry, I am _not_ going to release "cygcheck.out" to public, since it contains 
> sensitive information about the domain and its groups and memberships.

It is acceptable to anonymize or summarize information in cygcheck output.
In this case, counts of ids, groups, and memberships might help.

> Even after reinstalling cygwin from another server, the problem still appears. 
> Could it be that this is part of an attack?

Definitely not, this is normal behaviour.

Your first step should be to run cygserver to cache SAM and AD info on each 
system using cygwin on domain members.

Your second step should be to review /etc/nsswitch.conf settings for searching 
and possibly set:

	db_enum: cache local primary builtin

or maybe:

	db_enum: cache local primary alltrusted

or if connecting from home maybe:

	db_enum: cache local primary domain.tld

Check the mainling list archives for previous posts about domain settings.

-- 
Take care. Thanks, Brian Inglis			Calgary, Alberta, Canada

La perfection est atteinte			Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter	not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer	but when there is no more to cut
			-- Antoine de Saint-Exupéry

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019