CSCui88426 - Cisco IOS Software IKEv2 Denial of Service Vulnerability
Hi! I would appreciate if anyone can confirm for below.
For the routers using IPSEC tunnels with ISAKMP enabled (without any IKEv2 config), can the attacker exploit this vulnerability by sending malformed IKEv2 packets?
Both initiator and responder must have IKEv2 config to be able to trigger this vulnerability? We have many routers using IPSEC tunnels with IKEv1 and not sure whether this vulnerability is affected or not.
Thanks & Regards,
A device does not need to be configured with any IKEv2-specific features to be vulnerable?
Similar Messages
-
CSCum96401 - Cisco ASA IKEv2 Denial of Service Vulnerability
Hi Everyone,
ASA is configured with ikev2 and below is config
5520# show running-config crypto ikev2 | include enable
crypto ikev2 enable outside client-services port 443
5520# show running-config crypto map | include interface
crypto map outside_map interface outside
I checked below weblink
CSCum96401 - Cisco ASA IKEv2 Denial of Service Vulnerability
Not Affected
Not Affected
Not Affected
8.4(7.15)
Not Affected
8.6(1.14)
Not Affected
9.0(4.8)
9.1(5.1)
Not Affected
Not Affected
https://tools.cisco.com/bugsearch/bug/CSCum96401
ASA which i am running has version Cisco Adaptive Security Appliance Software Version 8.4(7)
sh flash shows
asa847-k8.bin
Need to confirm if my ASA is not effected by this bug?
Regards
MAheshHi Mahesh,
Your ASA code (asa847-k8.bin) is affected by this Bug, recommended release is 8.4(7.23) and later.
this bug is first fixed in 8.4(7.15).
Thanks,
Prashant Joshi -
Cisco works LMS 4.0 ,Apache HTTP Server CVE-2011-3192 Denial Of Service Vulnerability
Cisco works LMS 4.0 ,Apache HTTP Server CVE-2011-3192 Denial Of Service Vulnerability
This vulnerability has been fixed in release apache 2.2.20 and further corrected
in 2.2.21. You are advised to upgrade to version 2.2.21 (or newer) or the
legacy 2.0.65 release,
Can any one give the steps to upgrade the apache http server 2.2.10 to 2.2.21 in windows 2008 server?For the following PSIRT:
http://www.cisco.com/en/US/products/csa/cisco-sa-20110830-apache.html
Download the following patch "lms40-win-Oct2011-su1-0.zip" :
http://www.cisco.com/cisco/software/release.html?mdfid=283434800&flowid=19062&softwareid=280775103&os=Windows&release=4.0&relind=AVAILABLE&rellifecycle=&reltype=latest
The instructions should be in the zip file how to install the patch.
This should cover all theses bugs that you can query in the bug tool kit:
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
CSCte45565
CSCto12712
CSCto23584
CSCto23622
CSCto35544
CSCto35577
CSCtq48990 -
DNS Inspection Denial of Service Vulnerability check
Hi Everyone,
I am checking this cisco link ---http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa for
DNS Inspection Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the
show running-config access-list <acl_name>
command where
acl_name
is the name of the access-list used in the
class-map
to which the DNS inspection is applied.
This can be found by using the
show running-config class-map
and
show running-config policy-map
commands.
The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP.
ciscoasa# show running-config access-list
access-list DNS_INSPECT_ACL extended permit tcp any any
ORciscoasa# show running-config access-list
access-list DNS_INSPECT_ACL extended permit ip any any
ciscoasa# show running-config class-map
class-map DNS_INSPECT_CP
match access-list DNS_INSPECT
ciscoasa# show running-config policy-map
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
class DNS_INSPECT_CP
inspect dns preset_dns_map
Note: Cisco ASA Software will not inspect DNS packets over TCP by default.
show running-config policy-map
DNS Inspection Denial of Service Vulnerability
Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the show running-config access-list <acl_name>
command where acl_name
is the name of the access-list used in the class-map
to which the DNS inspection is applied.
This can be found by using the show running-config class-map
and show running-config policy-map
commands.
The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP.
ciscoasa# show running-config access-list
access-list DNS_INSPECT_ACL extended permit tcp any any
ORciscoasa# show running-config access-list
access-list DNS_INSPECT_ACL extended permit ip any any
ciscoasa# show running-config class-map
class-map DNS_INSPECT_CP
match access-list DNS_INSPECT
ciscoasa# show running-config policy-map
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
class DNS_INSPECT_CP
inspect dns preset_dns_map
Note: Cisco ASA Software will not inspect DNS packets over TCP by default.
I check my asa and ran the command
show running-config policy-map
policy-map global_policy
class inspection_default
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns
inspect http
inspect ftp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map map
class inspection_default
Does this confirm that this asa is vulnerabile?
Regards
MaheshHi,
The post says this
Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.
So it says that if the ASA is configured to inspect DNS over TCP then its vulnerable.
It also says
Note:Cisco ASA Software will not inspect DNS packets over TCP by default.
And it seems you have not made any special configurations related to DNS inspection therefore your ASA should not be inspecting DNS that is using TCP therefore it should not be vulnerable. Atleast that is how it seems to me.
- Jouni -
Java Hash Collision Denial Of Service Vulnerability
There is Java Hash Collision Denial Of Service Vulnerability according to these sources:
http://tomcat.10.n6.nabble.com/SECURITY-Apache-Tomcat-and-the-hashtable-collision-DoS-vulnerability-td2405294.html
http://www.nruns.com/_downloads/advisory28122011.pdf
http://www.securityfocus.com/bid/51236
It mentions that Oracle is not going to release the fix for Java. Does anyone knows if Oracle has any plan to release the fix or intend to ever fix it or not?
Thanks,
kymeng
Edited by: user6992787 on Feb 10, 2012 12:08 PMI don't really see this as an Oracle problem - more a Tomcat problem. Any collection algorithm will have limitations and in this case the Tomcat team use the Java hashtable to make use of the O(1) performance when the hashes of the keys are effectively random and have accepted the possible worst case O(n^2) performance. Either they should have used a TreeMap with O(nlogn) performance OR they should create their own implementation of Map that that does not permit the DOS attack.
I have never done any performance comparisons between HashMap and TreeMap but for many years now I pretty much always use a TreeMap since I rarely find performance a significant problem (of course I don't write high throughput applications such as Tomcat). I don't really see how Oracle should be involved in this problem; maybe the Tomcat team should be doing performance comparisons and/or research into algorithms that do not allow this DOS. -
Cisco Aironet Conversion Tool Version 2.1 for Cisco IOS Software
I am trying to convert a LWAP to Cisco IOS and the tool wants to know the Admin Name*? This is a factory radio sent to me as LWAP. I cannot seem to find out what the Admin Name is, I have tried Admin and Cisco not sure what else to try.
Hi Brian,
That tool is used for the IOS to LWAPP upgrade only. The AP can be converted back to Autonomous (IOS) using the following method;
Reverting the Access Point Back to Autonomous Mode
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272
You can convert an access point from lightweight mode back to autonomous mode by loading a Cisco IOS Release that supports autonomous mode (Cisco IOS release 12.3(7)JA or earlier). If the access point is associated to a controller, you can use the controller to load the Cisco IOS release. If the access point is not associated to a controller, you can load the Cisco IOS release using TFTP.
Using a TFTP Server to Return to a Previous Release
Follow these steps to revert from LWAPP mode to autonomous mode by loading a Cisco IOS release using a TFTP server:
Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30.
Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated.
Step 3 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200 series access point, c1130-k9w7-tar.default for an 1130 series access point, and c1240-k9w7-tar.default for a 1240 series access point.
Step 4 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.
Step 5 Disconnect power from the access point.
Step 6 Press and hold MODE while you reconnect power to the access point.
Step 7 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.
Step 8 Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED blinking green.
Step 9 After the access point reboots, reconfigure it using the GUI or the CLI.
From this doc;
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272
Hope this helps!
Rob -
Denial of Service Vulnerability
Jdeveloper 11.1.1.4
We had an security audit on our ADF application and one of the vulnerabilities found was a XML recursive Entity Expansion vulnerability from the login button. AKA Billion laughs DoS attack.
The parser used is
weblogic.xml.jaxp.RegistryDocumentBuilder
Weblogic jvm is configured with these paramters
org.xml.sax.driver=weblogic.xml.jaxp.RegistryXMLReader
org.xml.sax.parser=weblogic.xml.jaxp.RegistryParser
Is there a weblogic configuration parameter that can be set to limit entity expansion?
weblogic.xml.jaxp.RegistryDocumentBuilder parse method is called from DefaultMarshalingService
Which expands this DOCTYPE entity to 300,000 characters
<!DOCTYPE foo [<!ENTITY lol "lol"><!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"><!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">]><m xmlns="http://oracle.com/richClient/comm"><k v="type"><s>&lol5;</s></k></m>
Details of the vulnerabiltiy
1 Unrestricted XML
Entity Expansion
CVSS: 7.1
Risk: High
The XML parser used by the application to process input fields allows user-supplied
document type declarations (DTDs). Consequently, an attacker can abuse this feature
to cause a denial service condition on the web server through the use of XML entity
expansion attacks.
An example modified request with the exploit inserted in red.
=&org.apache.myfaces.trinidad.faces.FORM=loginForm&javax.faces.ViewState=!4
i0dvg2x&oracle.adf.view.rich.DELTAS={d1%3a%3amsgDlg%3d{titleIcon
Source%3dhttps%3a//11.254.250.200/app/afr/error.png,title%3dEr
ror}}&event=loginBtn&event.loginBtn=<!DOCTYPE+foo+[<!ENTITY+lol+
"lol"><!ENTITY+lol1+"%26lol%3b%26lol%3b%26lol%3b%26lol%3b%26lol%
3b%26lol%3b%26lol%3b%26lol%3b%26lol%3b%26lol%3b"><!ENTITY+lol2+"
%26lol1%3b%26lol1%3b%26lol1%3b%26lol1%3b%26lol1%3b%26lol1%3b%26l
ol1%3b%26lol1%3b%26lol1%3b%26lol1%3b"><!ENTITY+lol3+"%26lol2%3b%
26lol2%3b%26lol2%3b%26lol2%3b%26lol2%3b%26lol2%3b%26lol2%3b%26lo
l2%3b%26lol2%3b%26lol2%3b"><!ENTITY+lol4+"%26lol3%3b%26lol3%3b%2
6lol3%3b%26lol3%3b%26lol3%3b%26lol3%3b%26lol3%3b%26lol3%3b%26lol
3%3b%26lol3%3b"><!ENTITY+lol5+"%26lol4%3b%26lol4%3b%26lol4%3b%26
lol4%3b%26lol4%3b%26lol4%3b%26lol4%3b%26lol4%3b%26lol4%3b%26lol4
%3b">]><m+xmlns%3d"http%3a//oracle.com/richClient/comm"><k+v%3d"
type"><s>%26lol5%3b</s></k></m>
The following screenshot demonstrates that the above login request takes
approximately 20 times longer to process than a normal login request. With
additional entity expansions, an attacker could bring down the web server
completely.
Best Practice
Configure the XML parser to not process DTDs in the <!DOCTYPE> declaration. In addition, URI
resolution should be disabled to prevent against external entity attacks and denial of service
conditions caused by hanged requests.
This issue appears to be a vulnerability in Oracle’s Application Development Framework (ADF). If
that is the case, consider using a web application firewall to block malicious requests until Oracle
issues a patch.Don, I'm not sure that there is a parameter to do this. However you can do it in java like outlinded here https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing or https://gist.github.com/Prandium/dee14ea650ff7900f2c0
One other way is to implement a servelet filter which scans all parameters and rejects all xxe typ parameters.
Timo -
DNS Inspection Denial of Service Vulnerability
Advisory ID: cisco-sa-20131009-asa
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa
I have a Pix running version 8.0.4 with the following configuration:
inside interface: 192.168.231.254/255.255.255.0
outside interface: 10.100.2.254/255.255.255.0
no nat-control
access-list test permit ip any any log
access-group test in interface outside
access-group test in interface inside
I have a window 2008R2 residing on the Internal interface of the firewall. The domain controller resides on the outside interface of the firewall.
I went ahead and implement the change recommended by Cisco
access-list DNS_INSPECT extended permit udp any any
class-map DNS_INSPECT_CP
match access-list DNS_INSPECT
policy-map global_policy
class DNS_INSPECT_CP
inspect dns preset_dns_map
However, after implement the workaround, my windows 2008R2 machine on the inside network can NOT join with AD on the outside network.
on the log of the firewall I see this:
Oct 31 14:34:09 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
Oct 31 14:34:17 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
I even change the DNS maximum length to 8192 but it still does not work.
I remove the recommendation from the configuration, everything works fine after that.
Anyone knows why?
Thanks in advanceJulio Carvajal wrote:U do not have this command right available at the CLI rightmessage-length maximum client auto
I do
CiscoPix# sh run policy-map
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect sqlnet
inspect dns preset_dns_map
class class_sunrpc_tcp
inspect sunrpc
class DNS_INSPECT_CP
inspect dns preset_dns_map
CiscoPix#
Julio Carvajal wrote: Then clear-local host try one more time and provide the logs.Note:access-list test permit ip any any logaccess-group test in interface outsideaccess-group test in interface insideThat ACL means u have no firewall in place
I am very aware of this. At this point, it does not matter, it just want the firewall to function like a routing device.
It still does NOT work. Here is the log:
Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61982) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]
Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61983) -> outside/10.100.2.128(389) hit-cnt 1 first hit [0x63a9cac7, 0x0]
Oct 31 17:57:25 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
Oct 31 17:57:32 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes
Oct 31 17:57:33 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(50955) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0] -
Xerver Multiple Request Denial of Service Vulnerability
I developed my appln on JDev10.1.2 with Java and JSP and deployed it onto embeded OC4J. It was released on production and it is avilable to people working within our company network. We want it to be avilable for the public, so we wanted to open the firewall. But, our web admin told that the PCI scan found a vulenrability on the OC4J server. The webserver we use is Xerver. Please let me know if we can find any patch for this server to resolve the issue. Please help me as I need to resolve this ASAP.
Thanks.Viani,
I, of course, was being tongue-in-cheek... anyway, are you looking for a patch to OC4J or for Xerver? I've not run into anyone on this forum using Xerver. If you're looking for OC4J information, you may have better luck on the OC4J forum: OC4J
Regards,
John -
CSCum76937 - CUCM Distributed denial-of-service vulnerability on NTP server
I'd request that the built-in iptables on the CUCM, which we users can't adjust at all, could be autoadjusted by the CUCM itself to remove this DDOS vector, namely by restricting NTP to/from the CUCM only to these hosts:
the NTP server(s) it talks with, as configured in 'System>Phone NTP Reference'
the device(s) subscribed to it, who get their time from it.
why can that not be done?thanks, Wes--that response helps to frame the sometime-conflicting tensions between preserving performance and providing security.
I've been thinking about that, and the really excellent Cymru 'secure NTP template' (see
http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html)
, trying to think about what could be done to offer better protection from the NTP attacks with less dynamicness, thinking that it's still important to offer something--all of my CUCMs that are outside firewalls have been attacked and participated in NTP-amplification attacks--and offer these suggestions as to things that the iptables might be leveraged to protect the CUCM, and at least as importantly everyone else FROM the CUCM, in a more static way:
* turn off control queries TO the CM--these are the vector into the CM that results in the amplification DDOS
* permit NTP into the CM only from the configured NTP servers the CM is using--yes, that's slightly 'dynamic', but will only occur infrequently and can be discretely done--scale is very small.
* the remaining really-dynamic part would be "only serve ntp to configured clients", and I can (reluctantly) understand why you push back on that. but if the first two points could be provided for, particularly the control-query filter which is the vector for at least the present threat, that's a huge improvement now.
the Cyrmu template under Unix NTP endsystems has some useful suggestions that could be adapted for CUCM iptables:
(quote from Cyrmu):
You can use your standard host firewall filtering capabilities to limit who the NTP process talks to. If you're using Linux and the host is acting as an NTP client only, the following iptables rules could be adapted to shield your NTP listener from unwanted remote hosts.
-A INPUT -s 0/0 -d 0/0 -p udp --source-port 123:123 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -s 0/0 -d 0/0 -p udp --destination-port 123:123 -m state --state NEW,ESTABLISHED -j
(end quote) -
I am trying to inform myself if Cisco IOS supports Server Load Balancing (SLB) without the CSM. It appears this software has been integrated into a hardware module known as a Content Switching Module. (CSM)
Aside from cost and being a hardware module (faster) in a IOS based Catalyst 6500, Is there a functional advantage / disadvantage of using the Cisco CSM over Cisco IOS Server Load Balancing or vice versa. Any comments would be appreciated. Thanks.
MarkIOS SLB shares the same software code base as Cisco IOS and has all the software features sets of Cisco IOS software. IOS SLB is recommended for customers desiring complete integration of SLB technology into traditional Cisco switches and routers.
The CSM is specifically designed to meet the demands of large Internet service providers (ISPs), Co-location facilities, Application service providers (ASPs), and Enterprise web server farms.
These links might help you gain a better understanding:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e8/iosslb8e.htm#xtocid32
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_qanda_item09186a0080092384.shtml
http://www.cisco.com/warp/customer/cc/pd/si/casi/ca6000/prodlit/ccsm_ds.htm -
Cisco IOS IPS in Cisco 2921/k9 router
Hi All,
I have a router of Cisco 2921 series (C2921/K9) basic box with IP BAse IOS image (SL-29-IPB-K9 IOS). I would like to enable IOS Level IPS feature on this Router now. Based on the Cisco Document i have found i need to purchase an additonal subscripton license to enale the IPS feature. My querry is-
Will it support on the Basic IP Base IOS or do i need to change the IOS?
If i need to purchase the Subscription Licesne, how can i get the part number and cost for the same?
Do i need to buy any addtional module for this like (NME-IPS-K9) ?
Thanks in advance for your quick support
regards
SunnyHi Sunny
1. Yes you can enable IPS on IOS with the security license, without buying a subscription, but this would make little sense - new signatures are being released all the time so you would not be protected from recently discovered vulnerabilities/attacks.
2. Correct, the modules and appliances run a different kind of software and are much more powerful
3. If you add the module, you do NOT need the security license. It would still be advised to get a subscription license to get signature updates for the module.
I hope this helps, let us know.
regards
Herbert
jacob.samuel wrote:Dear Herbert,Thanks alot for the wonderful post. It clear most of my doubts. Still i kindly need to know few more points-1) Cant we enable IPS Feature on 2921/K9 router (with Sec license or 2921Sec/K9 bundle) without signature subscription license (is it a must? it is for getting updates of signatures and for support only, right?)2) I came to know from a distributor pre-sales engineer that the Cisco IOS Level Intrusion Protection is not going to provide the full feature of IPS like NME module or IPS Applinace. Is that right?3) If i add NME-IPS-K9 Module to my 2921 Router, without enabling Sec License, can i enable IPS feature on the Router. Or is it a must that i need to buy Sec License (SL-29-SEC-K9)?Attaching the Datasheet of NME-IPS-K9 module (Page num 5 above Table 3) mentione as follows-Cisco IOS Software Feature Sets and ReleaseTable 3 lists the required Cisco IOS feature sets and releases for Cisco IPS AIM and IPS NME on the Cisco 1841,
2800 and 3800 series Integrated Services Routers Note that, IPS NME on the Cisco 2900 and 3900 Integrated
Services Routers does not require a Security Feature license.
In that case if i buy a module i can install it on the 2921K9 box directly and can enable the IPS feature right? I dont need any License and additonal signature subscription here to enable the IPS feature (if i dont need signature updates and support) right?
thanks alot for the support.
regards
Sunny -
Is there any way to harden Dovecot against POP/IMAP denial of service attacks?
It doesn’t happen very often, but every so often a script kiddie on the Internet hits Dovecot's POP ports on our mail server hard enough to bring mail service to a crawl such that legit users can’t log in to retrieve their mail. I would say that with our 2.66GHz Intel Core 2 Duo Mac Mini Server, when we receive sustained POP login attacks that exceed ten logins per second, then eventually Dovecot gets swamped with so many requests that legit users are excluded. [Our server runs runs OS X Server 10.6.8-10K549, by the way, and Dovecot 1.1.2apple0.5 is installed as determined by running “dovecotd --version”. We keep the mail sever up to date with all available Apple software updates on a weekly basis, so we have the latest and greatest security updates.]
Here’s the problem: I’ve been studying the Dovecot 1.x Wiki at http://wiki1.dovecot.org/ and finding a number of parameters that *sort* of address this denial-of-service vulnerability, but none that appear to harden Dovecot in a similar fashion as ssh or sftp are hardened. By this, I mean that when ssh or sftp detect multiple login attempts originating from the same address above some threshold, then future login attempts are ignored for a solid fifteen minutes no matter what the login name was in the attempts. I’d like something similar for Dovecot.
I am aware of the “mail_max_userip_connections” setting which can be set independently for POP and IMAP service (see http://wiki1.dovecot.org/MainConfig?highlight=%28mail_max_userip_connections%29). This almost does what I want in that it indeed restricts the number of logins for a particular user coming from a single IP address. The problem is that the script kiddies typically scatter their attacks over hundreds of different login names and they may only attempt three or four logins per user name. What I really want is a parameter which starts to ignore logins no matter what the user name if too many come from a single IP address at the same time. Against this, I also need to balance my mail server restrictions to allow perhaps five or ten of my users with laptops to be behind a remote firewall, so all of their legit logins may hit my server perhaps three to ten at a time which could potentially look like an attack if my tuning parameter is set too low. What I’d really like to find is a tuning parameter that excludes concerted attacks without excluding my legitimate users. I also don’t want to invest in extremely expensive (>$10,000) “smart” firewalls that adaptively look for this type of attack, such as are offered by Netgear and other networking equipment manufacturers.
By examining /etc/dovecot/dovecot.conf on my mail server, it seems that Apple’s defaults are to set IMAP mail_max_userip_connections to 20, and for POP to leave the mail_max_userip_connections parameter commented out. Would there be any downside to enabling POP's mail_max_userip_connections to 20 as well? Offhand I can’t see how this would affect my users. Unfortunately, I also think that if I set the POP mail_max_userip_connections to 20 this won’t have any effect on the attackers since they typically won’t try 20 different passwords for the same login name in a given attack. I’ll post a segment of a log showing an actual attack that occurred today from the San Bernadino School District that I’ve since blocked in my network’s firewall, but it will illustrate the type of hard-core denial-of-service attack that I’m referring to. The login attempts were coming in fast, around forty-per-second, and my mail service went down in a matter of minutes as a result. [Yes: I will report this user… I haven’t gotten around to it yet with other issues.]
Any thoughts?Here’s a ten second snippet from my mail server's log, showing how intense the login frequency was from the attacker, and also how (s)he was "scattering" the login names used which I suspect would be quite hard to filter out using POP's mail_max_userip_connections parameter. The attack lasted from 1:43:39 through a server restart at 1:50:18, and even about a minute later. The attack stopped at 1:51:36 before I was able to add a firewalling rule to my router or to exclude logins from the 163.150/16 subnet from my router [FYI — that's the San Bernadino Country School District, according to http://whois.arin.net/rest/net/NET-163-150-0-0-1/pft ].
Any thoughts on how to block this type of POP attack in Dovecot?
[FYI — I changed my actual server name to 'myserver' and the actual admin name to 'Administrator'.]
Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
Jan 13 13:43:39 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
Jan 13 13:43:39 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
Jan 13 13:43:39 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
Jan 13 13:43:39 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
Jan 13 13:43:40 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](server,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(server,163.150.246.27): lookup failed for user: server
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](data,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(data,163.150.246.27): lookup failed for user: data
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](account,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(account,163.150.246.27): lookup failed for user: account
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](access,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(access,163.150.246.27): lookup failed for user: access
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](pwrchute,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(pwrchute,163.150.246.27): lookup failed for user: pwrchute
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](server,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(server,163.150.246.27): lookup failed for user: server
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user
Jan 13 13:43:41 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix
Jan 13 13:43:42 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user
Jan 13 13:43:42 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy
Jan 13 13:43:42 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
Jan 13 13:43:42 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
Jan 13 13:43:42 myserver dovecot[72]: auth(default): od[getpwnam_ext](data,163.150.246.27): No record for user
Jan 13 13:43:42 myserver dovecot[72]: auth(default): od(data,163.150.246.27): lookup failed for user: data
Jan 13 13:43:42 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
Jan 13 13:43:42 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](access,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(access,163.150.246.27): lookup failed for user: access
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](pwrchute,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(pwrchute,163.150.246.27): lookup failed for user: pwrchute
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](server,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(server,163.150.246.27): lookup failed for user: server
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](server,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(server,163.150.246.27): lookup failed for user: server
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](data,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(data,163.150.246.27): lookup failed for user: data
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](account,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(account,163.150.246.27): lookup failed for user: account
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](access,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(access,163.150.246.27): lookup failed for user: access
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](account,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(account,163.150.246.27): lookup failed for user: account
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](data,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(data,163.150.246.27): lookup failed for user: data
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
Jan 13 13:43:44 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
Jan 13 13:43:46 myserver dovecot[72]: auth(default): od(webmaster,163.150.246.27): Credentials could not be verified username or password is invalid.
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](data,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(data,163.150.246.27): lookup failed for user: data
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](user,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(user,163.150.246.27): lookup failed for user: user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](account,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(account,163.150.246.27): lookup failed for user: account
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](admin,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(admin,163.150.246.27): lookup failed for user: admin
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle8,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(oracle8,163.150.246.27): lookup failed for user: oracle8
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](web,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(web,163.150.246.27): lookup failed for user: web
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](oracle,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(oracle,163.150.246.27): lookup failed for user: oracle
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](test,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(test,163.150.246.27): lookup failed for user: test
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](lizdy,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(lizdy,163.150.246.27): lookup failed for user: lizdy
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(backup,163.150.246.27): user account: backup not enabled for mail
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(administrator,163.150.246.27): user account: Administrator not enabled for mail
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(root,163.150.246.27): user account: root not enabled for mail
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](informix,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(informix,163.150.246.27): lookup failed for user: informix
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](sybase,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(sybase,163.150.246.27): lookup failed for user: sybase
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od[getpwnam_ext](server,163.150.246.27): No record for user
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(server,163.150.246.27): lookup failed for user: server
Jan 13 13:43:48 myserver dovecot[72]: auth(default): od(www,163.150.246.27): user account: _www not enabled for mail -
Cisco IOS 12.2 (50) SE2 Netflow support
hi to everyboby,
I'm trying to understand if the IOS version "Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(50)SE2, RELEASE SOFTWARE (fc2)" supports the netflow feature.
I'm trying to configure the cisco WS-C3750G-12S for sending netflow datagrams but I don't find the commands like "ip flow-export".
This cisco official document says that the commands for enabling netflow are not supported.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/swuncli.html#wp1060525
Is It true or I'm missing something?
Thank you very much!
giorgioNo, Netflow is not support on the Cat2K and Cat3K switches. See http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html .
-
Team,
I am using Cisco IOS XE Software, Version 03.15.00.S - Standard Support Release Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(2)S, RELEASE SOFTWARE (fc3) to support my Cisco IOS CA.
In a nutshell, I am trying to support a FlexVPN - Win7 VPN client as per tac document id 115907
In this document, it states that OpenSSL CA is used but a Cisco IOS CA can also be used. When testing I am at a point where my certificates do not match the example:
The TAC document example:
X509v3 extensions:
X509v3 Key Usage: F0000000
Digital Signature
Non Repudiation
Key Encipherment
Data Encryption
My lab version:
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
Question - How do I get these alternate extensions using the Cisco IOS CA?
ChrisHi Marcin,
You have the same as I - I got my lab working - I tripped up on the KeyUsage thinking that my VPN headend Cisco CSR needed these same extensions as my Win7 client did. When I adjusted my Win7 CSR to feature these extra extensions and re-enrolled, everything is working.
Thanks for your help,
Chris
Maybe you are looking for
-
I am having issues with my Mail. I am trying to find out how to keep my computer from storing mail that I have put into the servers folders. Many of my messages have large attachments, and to me, it seems to be eating up ALOT of space on my compute
-
Constant Download Errors & Content Deletion
I have 2 problems that I've contacted Apple about many, many times without any resolution. They just keep treating me like a moron and then making me go through the same hoops that don't work. Can anyone help: 1. This is the most persistent. I get an
-
It's so difficult to sync my Outlook calendar to my Itouch?
Can somebody explain me why I cant sync my calendar into my itouch?It just doenst appear in my itunes.
-
Can I uninstall only Premiere Pro CS5 from Master Collection?
I have Master Collection CS5 installed on my computer. I just purchased Premiere Pro CS6. I would like to uninstall only PPro CS5 and then install PP CS6, but it's not apparent how to uninstall PP CS5. Is this possible?
-
Photoshop CS4 fails to identify GeForce GTX 295
Photoshop posts a failure notice that the GeForce GTX 295 is outdated and unsupported. Newest driver has been updated. I have installed the script to allow Photoshop to talk to older video cards with no prevail. Open GL settings are dimmed aswell. An