* observation: masses of requests to LDAP
@ 2023-01-22 14:32 Tobias Wendorff
2023-01-22 19:24 ` Brian Inglis
2023-01-22 19:26 ` Corinna Vinschen
0 siblings, 2 replies; 3+ messages in thread
From: Tobias Wendorff @ 2023-01-22 14:32 UTC (permalink / raw)
To: cygwin
Hi there,
our IT department has informed me that masses of requests are being sent
from my computer to our two LDAP servers on port 389. After a detailed
investigation, the problem could be clearly traced back to "cygwin".
Firewall logs show that about any tool, even base tools "sort" or
"less", initiates a request to port 389 on our LDAP servers.
Sorry, I am _not_ going to release "cygcheck.out" to public, since it
contains sensitive information about the domain and its groups and
memberships.
Even after reinstalling cygwin from another server, the problem still
appears. Could it be that this is part of an attack?
Best regards,
Tobias
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: observation: masses of requests to LDAP
2023-01-22 14:32 observation: masses of requests to LDAP Tobias Wendorff
@ 2023-01-22 19:24 ` Brian Inglis
2023-01-22 19:26 ` Corinna Vinschen
1 sibling, 0 replies; 3+ messages in thread
From: Brian Inglis @ 2023-01-22 19:24 UTC (permalink / raw)
To: cygwin; +Cc: Tobias Wendorff
On 2023-01-22 07:32, Tobias Wendorff via Cygwin wrote:
> our IT department has informed me that masses of requests are being sent from my
> computer to our two LDAP servers on port 389. After a detailed investigation,
> the problem could be clearly traced back to "cygwin".
That is required for Cygwin to emulate POSIX permissions and ACLs: see security
and domain info in:
/usr/share/doc/cygwin-doc/html/cygwin-ug-net/cygwin-ug-net.html
/usr/share/doc/cygwin-doc/cygwin-ug-net.pdf
or the equivalant online docs:
https://cygwin.com/cygwin-ug-net.html
https://cygwin.com/cygwin-ug-net/cygwin-ug-net.html
https://cygwin.com/cygwin-ug-net/cygwin-ug-net.pdf
https://cygwin.com/faq.html
Your IT folks could contact peers at Aachen, Bochum, Dresden, Esslingen, FAU who
provide Cygwin mirrors, probably use it in courses, and have experience with it;
see:
https://cygwin.com/mirrors.html
> Firewall logs show that about any tool, even base tools "sort" or "less",
> initiates a request to port 389 on our LDAP servers.
Each process needs access to your credentials, groups, and memberships, and
pulls them for domain accounts on domain members.
> Sorry, I am _not_ going to release "cygcheck.out" to public, since it contains
> sensitive information about the domain and its groups and memberships.
It is acceptable to anonymize or summarize information in cygcheck output.
In this case, counts of ids, groups, and memberships might help.
> Even after reinstalling cygwin from another server, the problem still appears.
> Could it be that this is part of an attack?
Definitely not, this is normal behaviour.
Your first step should be to run cygserver to cache SAM and AD info on each
system using cygwin on domain members.
Your second step should be to review /etc/nsswitch.conf settings for searching
and possibly set:
db_enum: cache local primary builtin
or maybe:
db_enum: cache local primary alltrusted
or if connecting from home maybe:
db_enum: cache local primary domain.tld
Check the mainling list archives for previous posts about domain settings.
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: observation: masses of requests to LDAP
2023-01-22 14:32 observation: masses of requests to LDAP Tobias Wendorff
2023-01-22 19:24 ` Brian Inglis
@ 2023-01-22 19:26 ` Corinna Vinschen
1 sibling, 0 replies; 3+ messages in thread
From: Corinna Vinschen @ 2023-01-22 19:26 UTC (permalink / raw)
To: Tobias Wendorff; +Cc: cygwin
On Jan 22 15:32, Tobias Wendorff via Cygwin wrote:
> Hi there,
>
> our IT department has informed me that masses of requests are being sent
> from my computer to our two LDAP servers on port 389. After a detailed
> investigation, the problem could be clearly traced back to "cygwin".
>
> Firewall logs show that about any tool, even base tools "sort" or "less",
> initiates a request to port 389 on our LDAP servers.
>
> Sorry, I am _not_ going to release "cygcheck.out" to public, since it
> contains sensitive information about the domain and its groups and
> memberships.
>
> Even after reinstalling cygwin from another server, the problem still
> appears. Could it be that this is part of an attack?
No, it's working as designed. User info is fetched from AD via LDAP.
If it's an overwhemling number of LDAP requests, I suspect you're
often calling Cygwin processes from Windows directly, e. g., from
CMD or powershell. The number of LDAP requests should be much
reduced when working from a Cygwin shell, e.g., from bash in mintty
due to user and group info cashing within a Cygwin process tree
(Cygwin child processes get the cashed info from their Cygwin parent).
If you want to reduce LDAP access even further, you can either
go back to creating local /etc/passwd and /etc/group files and
change /etc/nsswitch.conf accordingly(*), or you can start cygserver
as a service in background(**).
HTH,
Corinna
(*) https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch
(**) https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-caching
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-01-22 19:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-22 14:32 observation: masses of requests to LDAP Tobias Wendorff
2023-01-22 19:24 ` Brian Inglis
2023-01-22 19:26 ` Corinna Vinschen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).