similar to: reply attack

hello, the text attached describes what i believe to be security holes in tinc. i would appreciate your comments to see if i missed something big. -------------- next part -------------- Security flaws in tinc Jerome Etienne jme@off.net Abstract This text describes security flaws in Tinc. It includes a description of the security

Greetings All, I was looking around the Internet and came across this, but did not know if it was a problem for Tinc. http://off.net/~jme/tinc_secu.html ------------------------------- Security flaws in tinc Jerome Etienne jme@off.net Abstract This text describes security flaws in Tinc. It includes a description of the security (see section 1

I just bought an I Audio mobile device (Btw, these thigns are the coolest players on the face of the earth.. might want to check em out). It plays ogg vorbis files rather nicely. My whole music library is sitting in flac format. When I encoded my flac files (the majority a year ago) I used replay gain to save the album and track information if the flac file. Unfortunately, the I audio doesnt like

I get a lot of these in my log, especially when I am moving lots of traffic across the vpn: Sep 20 10:45:11 titan tinc.tdvpns[16152]: Got late or replayed packet from holden (xx.yy.zz.ww port 655), seqno 37609, last received 37610 (sequence numbers displayed generally differ by only one) What exactly is this trying to say? Surely this doesn't simply mean that the udp packets arrived in a

During Brandon Black presentation I heard that was developed a patch to prevent loss of UDP packets when tinc detects a replay attack. Is possible to have a look at that patch ? :) Saverio

Hi Guus, I've attached something like a commit message (I think). Sorry, but I am not familiar with git and currently familiarizing with it. In the meantime, I fixed some code and introduced a compatibility wrapper to allow porting tinc to "Fritz!Box" (using Freetz http://trac.freetz.org/). The file is called ifaddr-compat.h/c and wraps the function "getifaddrs". I'm

Signed-off-by: Loic Dachary <loic at dachary.org> --- doc/tinc.conf.5.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/tinc.conf.5.in b/doc/tinc.conf.5.in index 7196392..00e4674 100644 --- a/doc/tinc.conf.5.in +++ b/doc/tinc.conf.5.in @@ -416,7 +416,7 @@ and are available. .El .It Va ReplayWindow Li = Ar bytes Pq 16 -vhis is the size of the replay tracking

Am 18.07.2017 um 22:15 schrieb mj: > Hi, > > Thanks for the quick follow-ups! Much appreciated. After posting this, I > immediately started working on fail2ban. And between my initial posting > and now, fail2ban already blocked 114 IPs. > > I have fail2ban with maxretry=1 and bantime=1800 > > However, it seems almost all IPs are different, and I don't think I can

With pleasure we announce the release of version 1.0.14. Here is a summary of the changes: * Fixed reading configuration files that do not end with a newline. Again. * Allow arbitrary configuration options being specified on the command line. * Allow all options in both tinc.conf and the local host config file. * Configurable replay window, UDP send and receive buffers for performance

With pleasure we announce the release of version 1.0.14. Here is a summary of the changes: * Fixed reading configuration files that do not end with a newline. Again. * Allow arbitrary configuration options being specified on the command line. * Allow all options in both tinc.conf and the local host config file. * Configurable replay window, UDP send and receive buffers for performance

Hi Robert, On 07/18/2017 11:43 PM, Robert Schetterer wrote: > i guess not, but typical bots arent using ssl, check it > > however fail2ban sometimes is to slow I have configured dovecot with auth_failure_delay = 10 secs I hope that before the 10 sec are over, dovecot will have logged about the failed login attempt, and fail2ban will have blocked the ip by then. MJ

On 19/07/2017 11:23, mj wrote: > Hi Robert, > > On 07/18/2017 11:43 PM, Robert Schetterer wrote: >> i guess not, but typical bots arent using ssl, check it >> >> however fail2ban sometimes is to slow > > I have configured dovecot with > auth_failure_delay = 10 secs > > I hope that before the 10 sec are over, dovecot will have logged about the >

Hi. I have few questions out of curiosity.. Cant help for now with your problem... What version is crashing? 1.1 or 1.0 ? How your network is segmented..? I use tinc myself here a lot too (1.0) but my network is very segmented. I use switch mode and handle routing myself, so mesh links arent large.. I would NOT go beyond 30 nodes for full auto-mesh.. its already like 435 edges... Regards,

I've been using tinc to do some high bandwidth VPNs between nodes in Amazon's EC2 environment (to work around some limitations there for effectively loadbalancing raw TCP connections while preserving the sources addresses, using Linux IPVS in NAT mode). The raw amount of traffic involved is probably making this a bit of a corner case for tinc. In the overall it has held up remarkably

Because of security vulnerabilities in tinc that have recently been discovered, we hereby release tinc versions 1.0.35 and 1.1pre17. Here is a summary of the changes in tinc 1.0.35: * Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738). * Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758). Here is a summery of the changes in tinc 1.1pre17: * Prevent oracle attacks in the

Because of security vulnerabilities in tinc that have recently been discovered, we hereby release tinc versions 1.0.35 and 1.1pre17. Here is a summary of the changes in tinc 1.0.35: * Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738). * Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758). Here is a summery of the changes in tinc 1.1pre17: * Prevent oracle attacks in the

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:11.ipsec Security Advisory The FreeBSD Project Topic: IPsec replay attack vulnerability Category: core Module: sys_netipsec Announced:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:11.ipsec Security Advisory The FreeBSD Project Topic: IPsec replay attack vulnerability Category: core Module: sys_netipsec Announced:

Thanks for answers. I think its now flaw.. but design.. Tinc auto-mesh is very very handy. You just need to avoid flat networks. There is also IndirectMode w/ forces nodes to be switched by intermediate node... but I would be cautionus how its used. I use it myself for certain nodes behind NATs where they cannot be connected to, so always connect node handles switching for them. You noticed it

Hi! I have som problems with my vpn tunnel. I have 6 nodes in the network. Three of them is running tinc 1.1pre5 Three of them is running tinc 1.0.19 I also have vlan tagging between the nodes running tinc 1.1pre5 The problem is that get a bunch of errors in the log like the messages below (logs is attached in the email): Got late or replayed packet from JOTPOS ("internal ip" port