Does anyone know of a way to stop popper from doing ident and reverse dns lookups everytime someone connects? I can't seem to find any info on how to do it in the usual places. It takes insufferably long to connect to pop3 on a server I have just built. For ident I have configured my firewall to reject instead of drop, (it's a FW-1 box) but it doesn't seem to speed up connections any. I some instances the connections are coming through up to 5 firewalls, some NATed, some private addresses, and some public. (also via IPsec connections) Obviously not all of these addresses have reverse dns set, So I think that is the problem. (it may not be.. is there any other known reason for popper to be VERY slow to connect?) Any ideas? --- Nix - nix@susesecurity.com http://www.susesecurity.com
Nix wrote:
HTH -- Mit freundlichen Gruessen / best regards, Sven Michels Network Operating Center / Infrastucture ----------------------------------------- intraDAT AG Wilhelm Leuschner Strasse 7 u. 9-11 60329 Frankfurt / Germany Tel: +49 69 256 29 - 0 Fax: +49 69 256 29 - 256 http://www.intradat.com ----------------------------------------- Besuchen Sie uns vom 22.03.01-28.03.01 auf der CeBIT in Hannover, Halle 3 Stand E45 -----------------------------------------
* Nix (suse@nix.hispeed.com) [010315 17:09]:
Does anyone know of a way to stop popper from doing ident and reverse dns lookups everytime someone connects?
If you are running it from inetd, keep in mind that SuSE's tcpd build has -DALWAYS_RFC931 set. This means that identd username lookups are *always* attempted, not just when you've asked for them in /etc/hosts.[allow|deny]. -- -ckm
At 03:55 AM 17/03/2001, you wrote:
grrr... Yes I am.. is there any way to disable this behavior without recompiling? (I WAS using xinetd until I hit a number of annoying bugs... For starters, it seems to kill the originating IP address. ie connections to pop appear to come from localhost in /var/log/mail) TIA --- Nix - nix@susesecurity.com http://www.susesecurity.com
On Mon, Mar 19, 2001 at 13:40 +1100, Nix wrote:
Since you don't want to turn this behaviour off and still want to run inetd: Wrap your POP server in something which isn't inetd. :) See http://cr.yp.to/ for the ucspi-tcp package, unless you cannot cope with DJB's software or opinions / license ...
(I WAS using xinetd until I hit a number of annoying bugs...
That would have been the other popular alternative. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
* Nix (suse@nix.hispeed.com) [010319 08:56]:
Since it's a compile-time option, not that I know of. It's fairly simple to fix though: Install the tcpd source package and change the line "+AUTH = -DALWAYS_RFC931" to "+#AUTH = -DALWAYS_RFC931" in /usr/src/packages/SOURCES/tcp_wrappers_7.6.dif. Then run cd /usr/src/packages/SPECS && rpm -bb tcpd.spec and you should have a new rpm in /usr/src/packages/RPMS/{arch}. This *really* speeds up tcpd connections since it no longer has to wait for the inevitable identd timeout--the change made a tremendous difference on an ftp server that we all know and love. Of course, you can still selectively do these username lookups if you want to; see hosts_access(5) for more info. -- -ckm
:-) Yes. As a brief note: Chris' (formerly ckm@suse.com) handwriting is all over ftp.suse.com since he has built it. He also added some "goodies" to make it administer itself all by itself and to speed things up tremendously (which is needed despite heavy hardware scale).
Of course, you can still selectively do these username lookups if you want to; see hosts_access(5) for more info.
Thanks Chris, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
If you aren't interested in identd at all, how about adding this on the server to block it before it even gets out (a new piece of code to fight with the original inentd code:). As a bonus (?), you will not be able to reply to a connection originating from the ident port (ssh??): ipchains -A output --protocol tcp --dport auth -j REJECT identd should give up on the query when it receives destination not reachable. If that didn't work, then this really shouldn't work: ipchains -A output --protocol tcp --dport auth -j REDIRECT 7 This does not resolve any DNS problems. &:-) On Mar 16 at 12:02, Nix said (in part):
-- This was joke number 48
dear list, Last night I had a weird problem with my SuSE-7.0 box, which I have had several times before, also on other machines and other SuSE versions. Because everytime it happened it was on a machine that was at the moment in the internet, and had been for at least a few hours. I've never had it with machines that were not currently reachable from the internet. I am wondering if it might be a symptom of a break-in. This is what happens: suddenly a number of programs I had running died mysteriously as soon as I clicked my mouse anywhere in them (netscape, xemacs, etc.) Also I was completely unable to start a lot of programs. I could use who ps, lsof, iptraf, etc. But I could not start ssh, telnet, netscape, ftp, lynx. I could start jed, but not emacs. I could start pine, but not pico (pine died too as soon as I chose "compose message"). Mathematica worked, but R failed... I looked for patterns in which programs worked and which didn't. Maybe only large programs died? Or only network-based? Or only those using a particular library? Also it happens on machines permanently in the net via ethernet, on machione I only use for dialup occasionally... several architectures, several kernel versions, nothing (as far as I could find) in common, except for the same symptoms, and the fact that it happens only on machines that are at that very moment. Does anyone have an idea what could cause this, or at least if it means the systems are compromised? Thanks, Yuri. -------------------------------------------------------------------------- drs. Yuri Robbers phone : +31-71-527-4966 Leiden University fax : +31-71-527-4900 Institute for Theoretical Biology email : robbers@rulsfb.leidenuniv.nl Kaiserstraat 63 2311 GP Leiden PGP 5.0 public key available: the Netherlands Check your favourite hkp server. --------------------------------------------------------------------------
Nix wrote:
HTH -- Mit freundlichen Gruessen / best regards, Sven Michels Network Operating Center / Infrastucture ----------------------------------------- intraDAT AG Wilhelm Leuschner Strasse 7 u. 9-11 60329 Frankfurt / Germany Tel: +49 69 256 29 - 0 Fax: +49 69 256 29 - 256 http://www.intradat.com ----------------------------------------- Besuchen Sie uns vom 22.03.01-28.03.01 auf der CeBIT in Hannover, Halle 3 Stand E45 -----------------------------------------
* Nix (suse@nix.hispeed.com) [010315 17:09]:
Does anyone know of a way to stop popper from doing ident and reverse dns lookups everytime someone connects?
If you are running it from inetd, keep in mind that SuSE's tcpd build has -DALWAYS_RFC931 set. This means that identd username lookups are *always* attempted, not just when you've asked for them in /etc/hosts.[allow|deny]. -- -ckm
At 03:55 AM 17/03/2001, you wrote:
grrr... Yes I am.. is there any way to disable this behavior without recompiling? (I WAS using xinetd until I hit a number of annoying bugs... For starters, it seems to kill the originating IP address. ie connections to pop appear to come from localhost in /var/log/mail) TIA --- Nix - nix@susesecurity.com http://www.susesecurity.com
On Mon, Mar 19, 2001 at 13:40 +1100, Nix wrote:
Since you don't want to turn this behaviour off and still want to run inetd: Wrap your POP server in something which isn't inetd. :) See http://cr.yp.to/ for the ucspi-tcp package, unless you cannot cope with DJB's software or opinions / license ...
(I WAS using xinetd until I hit a number of annoying bugs...
That would have been the other popular alternative. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
* Nix (suse@nix.hispeed.com) [010319 08:56]:
Since it's a compile-time option, not that I know of. It's fairly simple to fix though: Install the tcpd source package and change the line "+AUTH = -DALWAYS_RFC931" to "+#AUTH = -DALWAYS_RFC931" in /usr/src/packages/SOURCES/tcp_wrappers_7.6.dif. Then run cd /usr/src/packages/SPECS && rpm -bb tcpd.spec and you should have a new rpm in /usr/src/packages/RPMS/{arch}. This *really* speeds up tcpd connections since it no longer has to wait for the inevitable identd timeout--the change made a tremendous difference on an ftp server that we all know and love. Of course, you can still selectively do these username lookups if you want to; see hosts_access(5) for more info. -- -ckm
:-) Yes. As a brief note: Chris' (formerly ckm@suse.com) handwriting is all over ftp.suse.com since he has built it. He also added some "goodies" to make it administer itself all by itself and to speed things up tremendously (which is needed despite heavy hardware scale).
Of course, you can still selectively do these username lookups if you want to; see hosts_access(5) for more info.
Thanks Chris, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
participants (7)
-
Andrew McGill -
Christopher Mahmood -
Gerhard Sittig -
Nix -
Roman Drahtmueller -
Sven Michels -
Yuri Robbers