Re: [exim] Exim + grsecurity + ssl = dos

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Samuel
Datum:  
To: exim-users
Betreff: Re: [exim] Exim + grsecurity + ssl = dos

Le 01/06/2016 à 15:05, Renaud Allard a écrit :
>
> On 06/01/2016 12:32 PM, Samuel wrote:
>> Le 01/06/2016 à 11:24, Jeremy Harris a écrit :
>>> On 31/05/16 18:44, Samuel wrote:
>>>> 2016-05-31 05:55:44 TLS error on connection from
>>>> researchscan258.eecs.XXXX.edu (eecs.XXXX.edu) [1XX.212.XXX.3]
>>>> (gnutls_handshake): Could not negotiate a supported cipher suite.
>>>> 2016-05-31 05:55:44 H=researchscan258.eecs.XXXX.edu (eecs.XXXX.edu)
>>>> [1XX.212.XXX.3] Warning: erreur : tls-failed
>>> OK, cipher-suite mismatch...
>>>
>>>> /var/log/syslog :
>>>>
>>>> May 31 05:55:44 anemone-mailin-01 kernel: [4547900.677897] traps:
>>>> exim4[23055] general protection ip:6664ddc0bad6 sp:7483826d3710 error:0
>>>> in libc-2.19.so[6664ddba2000+1a2000]
>>> Oops!
>>>
>>>> So if I understand well, A special craft ssl request can cause DOS on
>>>> Exim on Grsecurity kernel ?
>>> Not all that crafted; just a choice of ciphers.
>> Is this a problem from my side ? Do I have to do someting ?
>>
> Given the name of the host researchscanXXX, may I assume you have used a
> server to test the crypto? So if it has indeed attempted some kind of
> brute force, maybe grsec was right.


Strange but perharps solved I think, It was my own fault :

I'm building a test server .... and I started it only for testing mode
.... but I forgot to open the 465 port to the my mail-IN exim.
So now I'm sure that last connexions were on port 25 with starttls.

I open the port 465 to the exim mail-IN and I just see the researchscan
coming in again, this time on port 465 with no alert from grsecurity.
But, this could just mean that there is no prob on port 465 .... but
perharps still a problem with port 25 ont TLS

And as my server is only in test mode, I just get only few mailing-list
and botnet ;-) , I'm sure that was not clean email.

So could this brute force alert be a problem for people without
grsecurity and port 465 closed ... ?

> Some grsec features should be used with great precautions. This is not a
> magical recipe.


Yes I'm taking care with grsec, but I use it for years with not so much
problem (except clam ...)

Thanks.

Samuel.