From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.131]) by sourceware.org (Postfix) with ESMTPS id C97BC3858D32 for ; Sun, 22 Jan 2023 19:26:48 +0000 (GMT) Authentication-Results: sourceware.org; dmarc=permerror header.from=cygwin.com Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=cygwin.com Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue012 [212.227.15.167]) with ESMTPSA (Nemesis) id 1M3VAI-1pKEDd1Ulm-000YCa; Sun, 22 Jan 2023 20:26:47 +0100 Received: by calimero.vinschen.de (Postfix, from userid 500) id DDE01A80C97; Sun, 22 Jan 2023 20:26:46 +0100 (CET) Date: Sun, 22 Jan 2023 20:26:46 +0100 From: Corinna Vinschen To: Tobias Wendorff Cc: cygwin@cygwin.com Subject: Re: observation: masses of requests to LDAP Message-ID: Reply-To: cygwin@cygwin.com Mail-Followup-To: Tobias Wendorff , cygwin@cygwin.com References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Provags-ID: V03:K1:8K3T4zW14m293Fj3PhneXl6F2eL9uDes6MAjPcL7wX6EqkhltTJ JK2Ov7pqKEVZQkgW2/FXoBh0oWMC9d4DEgqC0MkhKRacT2WDyAvgwvFMZBxc2JJXNJm04XN vbOC+0XSTlDqOo6mBKzJBDV1Pp0B33X0TYxPzomt0V4fSdDcKNnYQQk1xeG3joTOEc16P61 BPhrP0YzCBXfv6HXpXO+A== UI-OutboundReport: notjunk:1;M01:P0:WIow4q0MRG0=;lQbqhK9xqmOdKy7Mq3h2qwngKkk 3HhED17amI4mD9cbXe6CaMNsxsV0kHmkIDFxOi24UlNNGSpOCIeUd0R4mPuqdH5zlI7+dw6sY nOktL5qbcnn0J1mw51lnbWXZ9xY+3qqqd28930yHft5ikh2laNJgY9vOOKg3655l3NWMA9wF+ F5b5Dt/TOr/q66fnGWu++XV44OVF7ND6soqdm2Rd8gGJGGevS0qN6XbMFk6n0L1JAiPUd3Wsp E4yJZy0Kc48xLwVY5nl/tLpLyWy4w2mlTYoqV5hh4Z3znMtNo8u6t5yeeZUJg4hjTPyaioEMK rqcWgu6ySIdYV8PvawEnogrJNYLXjiN6mxIRnpe3WouDhHQ0VRkYFP8t8p72iZGvU61FoMpph hd5IeQ6A+9lRYdp5yJyHDzj75lq5bxjZifkOK6RiwrzLmo9fUZmSzcRKBLxdtIkkRUYuCRyne Q7GsSnNz1bawTohoGYsQ7aZkIg+fP3wzUaG6F3Et2g0oEmxuEBV0mmj4+OXA3bXUH3FZMRpln 9537A26r7j6DJ/+pyUqTHTH4N7xfxxbkjBO+nJjdUzH70vPRHhIZw/g6+kapabl22wA6c8Zi1 43mczP0oU1AFMD4eafQ4UO0LHd3kvIbhfGBile+JadQlDQ7qdj2Q+4JwYSdHhJb+YB4jsg7d6 lZ2cYe3h+bVoR944zo1va2W4PN/bcXP4hbLXmLpv7Q== X-Spam-Status: No, score=-97.2 required=5.0 tests=BAYES_00,GOOD_FROM_CORINNA_CYGWIN,KAM_DMARC_STATUS,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_FAIL,SPF_HELO_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Jan 22 15:32, Tobias Wendorff via Cygwin wrote: > Hi there, > > our IT department has informed me that masses of requests are being sent > from my computer to our two LDAP servers on port 389. After a detailed > investigation, the problem could be clearly traced back to "cygwin". > > Firewall logs show that about any tool, even base tools "sort" or "less", > initiates a request to port 389 on our LDAP servers. > > Sorry, I am _not_ going to release "cygcheck.out" to public, since it > contains sensitive information about the domain and its groups and > memberships. > > Even after reinstalling cygwin from another server, the problem still > appears. Could it be that this is part of an attack? No, it's working as designed. User info is fetched from AD via LDAP. If it's an overwhemling number of LDAP requests, I suspect you're often calling Cygwin processes from Windows directly, e. g., from CMD or powershell. The number of LDAP requests should be much reduced when working from a Cygwin shell, e.g., from bash in mintty due to user and group info cashing within a Cygwin process tree (Cygwin child processes get the cashed info from their Cygwin parent). If you want to reduce LDAP access even further, you can either go back to creating local /etc/passwd and /etc/group files and change /etc/nsswitch.conf accordingly(*), or you can start cygserver as a service in background(**). HTH, Corinna (*) https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch (**) https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-caching