X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7F9553858C74
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1674415625;
	bh=f6PRguAmrIOF6rYwVLbh5E4Y3UY2UhXtX5iYt1t8qJ8=;
	h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=NURHuW1qLYPAj6Yd2nQVd1tpJ+jyvncmGOj9sUl2ksDh+9Kv7D45T63j0sjtYUzhV
	 BNrWebov9S0gKiYj4x0zQIdwavHnUfA1HirighCawg7IH6zdM+dten5gpYWMcw0ruX
	 KBg4VHhzHO8eVnYWoeBgw9I3JKoyM982yY7kukXI=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
Date: Sun, 22 Jan 2023 20:26:46 +0100
To: Tobias Wendorff <tobias DOT wendorff AT tu-dortmund DOT de>
Subject: Re: observation: masses of requests to LDAP
Message-ID: <Y82N9hq9zZW0quXs@calimero.vinschen.de>
Mail-Followup-To: Tobias Wendorff <tobias DOT wendorff AT tu-dortmund DOT de>,
 cygwin AT cygwin DOT com
References: <ae73845c-b970-37ab-f429-65b15cf8540c AT tu-dortmund DOT de>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <ae73845c-b970-37ab-f429-65b15cf8540c@tu-dortmund.de>
X-Provags-ID: V03:K1:8K3T4zW14m293Fj3PhneXl6F2eL9uDes6MAjPcL7wX6EqkhltTJ
 JK2Ov7pqKEVZQkgW2/FXoBh0oWMC9d4DEgqC0MkhKRacT2WDyAvgwvFMZBxc2JJXNJm04XN
 vbOC+0XSTlDqOo6mBKzJBDV1Pp0B33X0TYxPzomt0V4fSdDcKNnYQQk1xeG3joTOEc16P61
 BPhrP0YzCBXfv6HXpXO+A==
UI-OutboundReport: notjunk:1;M01:P0:WIow4q0MRG0=;lQbqhK9xqmOdKy7Mq3h2qwngKkk
 3HhED17amI4mD9cbXe6CaMNsxsV0kHmkIDFxOi24UlNNGSpOCIeUd0R4mPuqdH5zlI7+dw6sY
 nOktL5qbcnn0J1mw51lnbWXZ9xY+3qqqd28930yHft5ikh2laNJgY9vOOKg3655l3NWMA9wF+
 F5b5Dt/TOr/q66fnGWu++XV44OVF7ND6soqdm2Rd8gGJGGevS0qN6XbMFk6n0L1JAiPUd3Wsp
 E4yJZy0Kc48xLwVY5nl/tLpLyWy4w2mlTYoqV5hh4Z3znMtNo8u6t5yeeZUJg4hjTPyaioEMK
 rqcWgu6ySIdYV8PvawEnogrJNYLXjiN6mxIRnpe3WouDhHQ0VRkYFP8t8p72iZGvU61FoMpph
 hd5IeQ6A+9lRYdp5yJyHDzj75lq5bxjZifkOK6RiwrzLmo9fUZmSzcRKBLxdtIkkRUYuCRyne
 Q7GsSnNz1bawTohoGYsQ7aZkIg+fP3wzUaG6F3Et2g0oEmxuEBV0mmj4+OXA3bXUH3FZMRpln
 9537A26r7j6DJ/+pyUqTHTH4N7xfxxbkjBO+nJjdUzH70vPRHhIZw/g6+kapabl22wA6c8Zi1
 43mczP0oU1AFMD4eafQ4UO0LHd3kvIbhfGBile+JadQlDQ7qdj2Q+4JwYSdHhJb+YB4jsg7d6
 lZ2cYe3h+bVoR944zo1va2W4PN/bcXP4hbLXmLpv7Q==
X-Spam-Status: No, score=-97.2 required=5.0 tests=BAYES_00,
 GOOD_FROM_CORINNA_CYGWIN, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE,
 RCVD_IN_MSPIKE_H2, SPF_FAIL, SPF_HELO_NONE,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Corinna Vinschen via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>, cygwin AT cygwin DOT com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

On Jan 22 15:32, Tobias Wendorff via Cygwin wrote:
> Hi there,
> 
> our IT department has informed me that masses of requests are being sent
> from my computer to our two LDAP servers on port 389. After a detailed
> investigation, the problem could be clearly traced back to "cygwin".
> 
> Firewall logs show that about any tool, even base tools "sort" or "less",
> initiates a request to port 389 on our LDAP servers.
> 
> Sorry, I am _not_ going to release "cygcheck.out" to public, since it
> contains sensitive information about the domain and its groups and
> memberships.
> 
> Even after reinstalling cygwin from another server, the problem still
> appears. Could it be that this is part of an attack?

No, it's working as designed.  User info is fetched from AD via LDAP.
If it's an overwhemling number of LDAP requests, I suspect you're
often calling Cygwin processes from Windows directly, e. g., from
CMD or powershell.  The number of LDAP requests should be much
reduced when working from a Cygwin shell, e.g., from bash in mintty
due to user and group info cashing within a Cygwin process tree
(Cygwin child processes get the cashed info from their Cygwin parent).

If you want to reduce LDAP access even further, you can either
go back to creating local /etc/passwd and /etc/group files and
change /etc/nsswitch.conf accordingly(*), or you can start cygserver
as a service in background(**).


HTH,
Corinna

(*)  https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch
(**) https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-caching

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple