Some new attack on the wild?

34 views
Skip to first unread message

Marco Gaiarin

unread,
Sep 9, 2020, 3:10:10 PM9/9/20
to prosod...@googlegroups.com

I manage a little personal server that i use practically only to 'route'
some messages between some devices, and for experimentation.
Oh, debian stretch, prosody 0.10 1nightly500-1~stretch .

By some day i receive many s2s 'attach' (server have registration disabled,
indeed) like:

Sep 9 17:34:42 eraldo prosody[19938]: s2sin55afc4470e50: Stream encrypted (TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384)
Sep 9 17:34:42 eraldo prosody[19938]: lilliput.linux.it:saslauth: Accepting SASL EXTERNAL identity from toll.ml
Sep 9 17:34:42 eraldo prosody[19938]: s2sin55afc4470e50: Incoming s2s connection toll.ml->lilliput.linux.it complete
Sep 9 17:34:43 eraldo prosody[19938]: s2sout55afc448cc30: Stream encrypted (TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384)
Sep 9 17:34:43 eraldo prosody[19938]: lilliput.linux.it:saslauth: SASL EXTERNAL with toll.ml failed: not-authorized: unsupported certificate purpose
Sep 9 17:34:43 eraldo prosody[19938]: s2sin55afc426b950: Stream encrypted (TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384)
Sep 9 17:34:43 eraldo prosody[19938]: lilliput.linux.it:saslauth: Accepting SASL EXTERNAL identity from toll.ml
Sep 9 17:34:43 eraldo prosody[19938]: s2sin55afc426b950: Incoming s2s connection toll.ml->lilliput.linux.it complete
Sep 9 17:34:43 eraldo prosody[19938]: s2sout55afc448cc30: Outgoing s2s connection lilliput.linux.it->toll.ml complete

some of theese 'catch' my jabber address and i have now some strange users
in my contact list.

Apart disable s2s, there's something i can do?


Thanks.

--
Se non hai riso per una settimana la tua vita comincia a perdere
significato. Soprattutto se sei cinese. (M. Muraro)


Kim Alvefur

unread,
Sep 9, 2020, 4:02:28 PM9/9/20
to prosod...@googlegroups.com
On Wed, Sep 09, 2020 at 05:39:23PM +0200, Marco Gaiarin wrote:
> I manage a little personal server that i use practically only to
> 'route' some messages between some devices, and for experimentation.
> Oh, debian stretch, prosody 0.10 1nightly500-1\~stretch .

Maybe consider updating, there will probably not be any further updates
to the 0.10 branch.

>By some day i receive many s2s 'attach' (server have registration disabled,
>indeed) like:
>
> Sep 9 17:34:42 eraldo prosody[19938]: s2sin55afc4470e50: Stream encrypted (TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384)
> Sep 9 17:34:42 eraldo prosody[19938]: lilliput.linux.it:saslauth: Accepting SASL EXTERNAL identity from toll.ml
> Sep 9 17:34:42 eraldo prosody[19938]: s2sin55afc4470e50: Incoming s2s connection toll.ml->lilliput.linux.it complete
> Sep 9 17:34:43 eraldo prosody[19938]: s2sout55afc448cc30: Stream encrypted (TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384)
> Sep 9 17:34:43 eraldo prosody[19938]: lilliput.linux.it:saslauth: SASL EXTERNAL with toll.ml failed: not-authorized: unsupported certificate purpose

Here's 'toll.ml' telling you(r server) that it does not like your
certificate. I looked and it looks like you are using a self-signed CA
root certificate, with metadata that says that it should be used for
signing certificates, not for TLS connections.

> Sep 9 17:34:43 eraldo prosody[19938]: s2sin55afc426b950: Stream encrypted (TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384)
> Sep 9 17:34:43 eraldo prosody[19938]: lilliput.linux.it:saslauth: Accepting SASL EXTERNAL identity from toll.ml
> Sep 9 17:34:43 eraldo prosody[19938]: s2sin55afc426b950: Incoming s2s connection toll.ml->lilliput.linux.it complete
> Sep 9 17:34:43 eraldo prosody[19938]: s2sout55afc448cc30: Outgoing s2s connection lilliput.linux.it->toll.ml complete

Curious that the connection still succeeds if that server disapproves of
your certificate.

>some of theese 'catch' my jabber address

Looks like you have mod_server_contact_info¹ enabled. This makes the
addresses configured public so that others can find your address and
contact you about your server. It's primarily meant for public services
(with registration enabled etc) so you can find where to send abuse
reports and such. Smaller private servers would not need it, so you can
disable it.

> and i have now some strange users in my contact list.

This could simply be someone trying to tell you that your certificate is
weird. Or spam bots.

¹ https://prosody.im/doc/modules/mod_server_contact_info

>Apart disable s2s, there's something i can do?

I don't even know where to start with your cert. I forget if
`prosodyctl cert generate` was in 0.10, but if so that can be used to
generate a "proper" self-signed cert (one that says that it's for TLS
usage).

Unload mod_server_contact_info if you don't want your address to be
public, but the damage is probably already done.

There are various modules in https://modules.prosody.im/ that implement
various ways to block or restrict s2s that you could look into.

But if the server is purely for experimentation and not for general use
on the federated network then disabling s2s may be the way to go.

Anything connected to the Internet will experience poking and prodding
from remote entities with varying intentions, anything from researchers
to hackers to kids poking about. This is life. Some of it can be
blocked, some of it is just harmless. Sometimes the best thing to do is
to just turn down the log level and ignore it.

--
Regards,
Kim "Zash" Alvefur
signature.asc

Davide Marchi

unread,
Sep 10, 2020, 7:38:57 AM9/10/20
to prosod...@googlegroups.com
Same issue, started from not much than two week,
I've enabled "mod_block_strangers" and I hope it works ;-)

https://modules.prosody.im/mod_block_strangers.html

Thanks!


Davide


Kim Alvefur ha scritto:
> [...]

Marco Gaiarin

unread,
Sep 14, 2020, 5:10:07 PM9/14/20
to Kim Alvefur, prosod...@googlegroups.com
Mandi! Kim Alvefur
In chel di` si favelave...

>> Oh, debian stretch, prosody 0.10 1nightly500-1\~stretch .
> Maybe consider updating, there will probably not be any further updates
> to the 0.10 branch.

I've a rather complex 'home server', recently P2V (proxmox); next step,
moving services to different containers...


> certificate. I looked and it looks like you are using a self-signed CA
> root certificate, with metadata that says that it should be used for
> signing certificates, not for TLS connections.

Mmmhhh... it is not a self signed one, but a home made CA managed with
TinyCA2.


> Looks like you have mod_server_contact_info¹ enabled. This makes the

Exactly. Thanks!

--
La giustizia militare sta alla giustiza come la musica militare sta alla
musica. (George Clemenceau)


Reply all
Reply to author
Forward
0 new messages