From: Larry Vaden vaden@texoma.net Date: Sun, Jan 23, 2011 at 8:03 PM Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5?
Our site running Centos 4.8 and 5.5 name servers was hacked with the result that www.yahoo.com is now within our /19 and causing some grief.
Don't understand what you mean by 'within our /19'. Have your IP ranges changed? If your Bind date is corrupt, why not re-install Centos and then restore the domains data from one of your regular backups?
Is it a wise business decision to use C 4.8 instead of C 5 or the latest which is C 5.5 ?
Google hasn't led me to an RPM for bind-9.7.2-P3 nor has the search facility at centos.org. However, it is obvious from said searches that Mandriva upgraded last year.
I believe C6 will include an updated Bind.
An attempt to install bind-9.7.2-P3 from source yields the warning below the sig for both 4.8 and 5.5 machines.
WARNING WARNING WARNING WARNING WARNING ..........
Your OpenSSL crypto library may be vulnerable to ..... one or more of the the following known security .... flaws:
CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940.
It is recommended that you upgrade to OpenSSL version 0.9.8d/0.9.7l (or greater).
Well, on my C 5.5 desktop my OpenSSL is (yum info openssl)
Name : openssl Arch : x86_64 Version : 0.9.8e Release : 12.el5_5.7 Size : 3.4 M
The same version for i686.
Larry, why can't you install the latest OpenSSL ?
On C 5.5 the latest Bind is 9.3.6 (Release: 4.P1.el5_5.3)
If you really need the latest Bind and can not wait about a month for C6 why don't you use a different flavour of Linux? In business one can not be too sentimental and difficult decisions have to be made all the time.
With best regards,
Paul. England, EU.
On Fri, Feb 18, 2011 at 3:15 PM, Always Learning centos@g7.u22.net wrote:
Don't understand what you mean by 'within our /19'. Have your IP ranges changed? If your Bind date is corrupt, why not re-install Centos and then restore the domains data from one of your regular backups?
Our network consists of aaa.bbb.ccc.0/19. That's CIDR notation for 8,192 addresses.
Is it a wise business decision to use C 4.8 instead of C 5 or the latest which is C 5.5 ?
IMHO, fully updated purpose-built servers running 4.8 should have more or less the same vulnerablity profile as 5.5 IFF RH is doing a good job of backporting security fixes.
I am supported in that statement by my mentor at FedEx but NOT by my mentor at Internet2.
The open ?s about human error wrt the SRPMs in SL6 could arguably lead to a different conclusion.
I believe C6 will include an updated Bind.
Yes, it will be based on a later release.
Larry, why can't you install the latest OpenSSL ?
We installed openssl-1.0.0c Jan 23 20:30 27 minutes after filing the original post IIRC.
kind regards/ldv/vaden@texoma.net
Our network consists of aaa.bbb.ccc.0/19. That's CIDR notation for 8,192 addresses.
But what has that got to do with "www.yahoo.com moved into our /19" .... your comment is pretty unclear.
IMHO, fully updated purpose-built servers running 4.8 should have more or less the same vulnerablity profile as 5.5 IFF RH is doing a good job of backporting security fixes.
Why are you so sure it was a bind issue? What logs/research has come to that conclusion?
Would bind 9.7 really have helped you if you were hacked or was your vulnerability elsewhere - and if so where? Was this the same server that you posted where you had mangled the install with force reinstalling rpms from SL and/or oracle that you posted about before for instance?
I am supported in that statement by my mentor at FedEx but NOT by my mentor at Internet2.
Your mentor? What do you mean by that?
We installed openssl-1.0.0c Jan 23 20:30 27 minutes after filing the original post IIRC.
If you were so gung ho about security that you wanted bleeding edge bind even newer than current centos 5 why are you so out of date on your openssl libraries. Given that you are out of date on those as per your previous posts would the currently released bind on rhel5 iff it was already on c5 really have been installed? If you were that desperate you could have built the srpms yourself.... or taken 9.7 from c5-testing.
You have posted the same rubbish over and over without any substantiation with wild allegations.
Post details if you need help or just please stop ranting to no point.
James
On Fri, Feb 18, 2011 at 4:37 PM, James Hogarth james.hogarth@gmail.com wrote:
Your mentor? What do you mean by that?
The same thing Wikipedia says, namely:
a trusted friend, counselor or teacher, usually a more experienced person. Some professions have "mentoring programs" in which newcomers are paired with more experienced people, who advise them and serve as examples as they advance.
Joe, Randy and James are my mentors of 15, 5 and 5 years, respectively, and all said the same thing, namely "nuke and repave, be sure to be current on BIND" since it is a purpose-built box (ns1).
Since others have asked for details, they are below the sig.
With 20/20 hindsight, it is clear that I shouldn't have posted the original post asking the list for help and hopefully informing other potential targets of the risk (read: there were no responses to the original post, therefore it was posted to the wrong audience).
regards/ldv/vaden@texoma.net
There was no time for forensics at the time of the discovery; just time to get advice and react. What follows is from a few moments ago.
===details=== ===box was last nuked and repaved Jul 28 2008 ===much unnecessary software removed Jul 28 2008, 57 tasks active per 'ps auxw | wc -l' ===current nmap (same nmap results as on problem day) Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST Note: Host seems down. If it is really up, but blocking our ping probes, try -PN Nmap done: 1 IP address (0 hosts up) scanned in 0.19 seconds vaden@turtlehill:/opt$ nmap -A -PN ns1.texoma.net Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST Nmap scan report for ns1.texoma.net (209.151.96.2) Host is up (0.0012s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain 987/tcp open ssh OpenSSH 3.9p1 (protocol 2.0) | ssh-hostkey: 1024 36:dc:c8:29:b1:d3:8a:b1:e6:cf:2b:4c:70:ed:c8:9a (DSA) |_1024 10:f9:a6:d2:32:68:15:3a:9f:04:3a:89:05:1e:b8:52 (RSA) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.44 seconds vaden@turtlehill:/opt$ ===named.conf security in 2008 [root@ns1 data]# cat /var/named/chroot/etc/named.conf | more ### # # attribution: By Rob Thomas, noc at cymru.com # http://www.cymru.com/Documents/secure-bind-template.html # -and- # http://www.knowplace.org/pages/howtos/split_view_with_bind_9_howto.php # # at the behest of # Dr. Joe Redacted (redacted1.edu) # Dr. Randall Redacted (redacted2.edu) === ssh port not on 22 === distro's standard iptables save ssh port
Joe, Randy and James are my mentors of 15, 5 and 5 years, respectively, and all said the same thing, namely "nuke and repave, be sure to be current on BIND" since it is a purpose-built box (ns1).
Perhaps is it a difference in language and what you mean by mentor and where I would mean old colleague/peer who I have discussed this with.
They have stated their opinions and you can follow that - but then you would be diverging from the point of RHEL somewhat with a custom built BIND.
Remember that the version number you see on BIND is not always the equivalent of upstream due to backports. You should check the relevant RHEL errata, the package %changelog and CVE to get a better understanding of what exploits are known and what has been patched.
With 20/20 hindsight, it is clear that I shouldn't have posted the original post asking the list for help and hopefully informing other potential targets of the risk (read: there were no responses to the original post, therefore it was posted to the wrong audience).
Err... this isn't the whole story/truth.
I just searched your emails on this list. the first reference to bind was the 16th feb with the thread "Blasphemous" with complaints (and no substance) to Redhat not having current Bind - despite the fact 9.7 is in the then released 5.6... you suggested an alt repo "for critical internet functions." No where did you indicate you had a name server hacked/altered/poisoned... although you pointed out your credit card prcessing system was running Redhat linux 7.3 (Valhalla) and was nearing 10 years old.... this from someone complaining about teh 'age'' of BIND in RHEL/CentOS.
There was no time for forensics at the time of the discovery; just time to get advice and react.
Then you have no way of telling what happened. For future reference a better reaction is to isolate the server (whether physical or virtual) and put a new system in place to serve the need for it whilst you analyze what happened to the previous. Without that knowledge you cannot mitigate any issues or discover where the failure was, if any.
What follows is from a few moments ago.
===details=== ===box was last nuked and repaved Jul 28 2008 ===much unnecessary software removed Jul 28 2008, 57 tasks active per 'ps auxw | wc -l'
This is irrelevant to the point at hand.
===current nmap (same nmap results as on problem day) Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST Note: Host seems down. If it is really up, but blocking our ping probes, try -PN Nmap done: 1 IP address (0 hosts up) scanned in 0.19 seconds vaden@turtlehill:/opt$ nmap -A -PN ns1.texoma.net Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-18 18:38 CST Nmap scan report for ns1.texoma.net (209.151.96.2) Host is up (0.0012s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain 987/tcp open ssh OpenSSH 3.9p1 (protocol 2.0) | ssh-hostkey: 1024 36:dc:c8:29:b1:d3:8a:b1:e6:cf:2b:4c:70:ed:c8:9a (DSA) |_1024 10:f9:a6:d2:32:68:15:3a:9f:04:3a:89:05:1e:b8:52 (RSA) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.44 seconds
So you have SSH exposed and Domain requests exposed. Not surprising but irrelevant in and of itself.
vaden@turtlehill:/opt$ ===named.conf security in 2008 [root@ns1 data]# cat /var/named/chroot/etc/named.conf | more ### # # attribution: By Rob Thomas, noc at cymru.com # http://www.cymru.com/Documents/secure-bind-template.html # -and- # http://www.knowplace.org/pages/howtos/split_view_with_bind_9_howto.php # # at the behest of # Dr. Joe Redacted (redacted1.edu)
# Dr. Randall Redacted (redacted2.edu)
Without adequate details such as whether IP requests were limited to your allotted IP addresses and other config details this doesn't help.
ssh port not on 22
This is fundamentally irrelevant. This is a very visible server given it is a primary nameserver for you. A simple nmap as you showed above presents any potential hacker with the correct port for SSH given a targeted attack.
distro's standard iptables save ssh port
Perhaps here you made a security mistake and should have configured it differently - for example limiting connection attempts, set up fail2ban, limit inbound SSH from known IPs for management purposes from your corporate network, not had SSH publically visable, etc. Without more detail it is impossible to say what went wrong and how the system could be potentially secured.
If you have a specific point of vulnerability you have encountered - whether a known CVE or not - I would urge you to open a bugzilla ticket with reproducible steps.
If you got hacked through poor configuration and monitoring then it's your own fault quite frankly and perhaps for something you see as such a key service you should hire a proper admin and pay for a Redhat license so you have an SLA to full back on for bugs. That is what it is there for.
Regardless of the above I urge you to stop posting irrelevant nonsense and pushing the signal to noise ratio of the list to such intolerable levels.
James
On Fri, Feb 18, 2011 at 7:39 PM, James Hogarth james.hogarth@gmail.com wrote:
With 20/20 hindsight, it is clear that I shouldn't have posted the original post asking the list for help and hopefully informing other potential targets of the risk (read: there were no responses to the original post, therefore it was posted to the wrong audience).
Err... this isn't the whole story/truth.
As a result of "this isn't whole story/truth," I searched GMail and Thunderbird and here's what I found:
1) GMail says I sent a message To: centos@centos.org Sun, 23 Jan 2011 20:03:22 -0600 Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5? Message-ID: AANLkTimmNnEs-=oTzp29J3vhGFgvc9pc4eeoJCfOceDZ@mail.gmail.com 2) GMail says there was neither a bounce nor a echo post from the mailing list 3) Thunderbird agrees with Gmail re #2 4) New to me (see #7, but more likely as a result of the stress of the situation of wondering what other big URLs were pointing at leaf nodes) is a log entry indicating I got a request for a confirmation from centos-request Jan 23 and Jan 26 and a welcome Jan 26 5) It is possible that I may have unsubscribed from centos but apparently not from centos-devel 6) If I was unsubscribed, it was definitely posted to the wrong list 7) One nice thing about Alzheimers is that you meet so many new people each day and they act like they've known you all your life :) 8) apologies to the CentOS Community and CentOS Team are due and issued.
This has been revealing; I used to think that with 9 stents and a pacemaker, I could be a stand in on the "6 (read: 1) Million Dollar Man" TV show if it ever went into reruns :) Through this experience, starting with a hacked or poisoned name server, or, quite frankly, the perception of one, I have learned what people really see.
best regards/ldv/vaden@texoma.net
On Saturday, February 19, 2011 12:57:40 am Larry Vaden wrote:
Through this experience, starting with a hacked or poisoned name server, or, quite frankly, the perception of one, I have learned what people really see.
Having a server hacked is one of the worst things that can happen in IT; not of course as bad as a real heart attack, for sure.
Having a server hacked puts you in a wierd mindset, most certainly.
If your server was really hacked, I'd start from scratch, and set the new one up more defensively.
On Sat, Feb 19, 2011 at 9:51 AM, Lamar Owen lowen@pari.edu wrote:
If your server was really hacked, I'd start from scratch, and set the new one up more defensively.
THANKS for your input; there exists a consensus, so that's what will be done (replace 4.8 with 5.x). Troy says Fermi (a great target for the miscreants/actors) runs stock BIND as it appears in RHEL/CentOS/SL, so, to be redundant, what is good enough for the national labs is good enough for us. Joe won't be happy with us, but we need to be pragmatic.
On Sat, Feb 19, 2011 at 04:37:57PM -0600, Larry Vaden wrote:
THANKS for your input; there exists a consensus, so that's what will be done (replace 4.8 with 5.x). Troy says Fermi (a great target for the miscreants/actors) runs stock BIND as it appears in RHEL/CentOS/SL, so, to be redundant, what is good enough for the national labs is good enough for us. Joe won't be happy with us, but we need to be pragmatic.
Just out of curiosity, have you ever thought about hiring a competent admin?
John
On Sat, Feb 19, 2011 at 5:07 PM, John R. Dennison jrd@gerdesas.com wrote:
Just out of curiosity, have you ever thought about hiring a competent admin?
Yes.
On Fri, Feb 18, 2011 at 7:39 PM, James Hogarth james.hogarth@gmail.com wrote:
Joe, Randy and James are my mentors of 15, 5 and 5 years, respectively, and all said the same thing, namely "nuke and repave, be sure to be current on BIND" since it is a purpose-built box (ns1).
Perhaps is it a difference in language and what you mean by mentor and where I would mean old colleague/peer who I have discussed this with.
Wikipedia says "This is the source of the modern use of the word mentor: a trusted friend, counselor or teacher, usually a more experienced person." I am not their peer; they are my mentors. They have been invaluable over the 25 combined years of mentorship to this rural ISP.
Remember that the version number you see on BIND is not always the equivalent of upstream due to backports. You should check the relevant RHEL errata, the package %changelog and CVE to get a better understanding of what exploits are known and what has been patched.
Johnny has remarked on the importance of trust.
My trust in RedHat went down when I learned they are not shipping all the SRPMs. Some say it is due to human error. If that is the case, why should I think they are better at backporting security fixes than at making sure a manifest of SRPMs is complete and correct?
Johnny has remarked on the importance of trust.
My trust in RedHat went down when I learned they are not shipping all the SRPMs. Some say it is due to human error. If that is the case, why should I think they are better at backporting security fixes than at making sure a manifest of SRPMs is complete and correct?
Larry seriously now that's enough.
If you don't trust Redhat - great! go elsewhere!. IN fact pleas do since then you shouldn't be using centos and you can then leave this list alone.
For the record an archive of all mails sent to the mailing list appears here... in this case in date order.
http://lists.centos.org/pipermail/centos/2011-January/date.html
To give you the benefit of the doubt I search there for your mail by subject and by the datestamp you allege.
It is not there - ergo it never arrived at the list.
On Sat, Feb 19, 2011 at 6:58 AM, James Hogarth james.hogarth@gmail.com wrote:
For the record an archive of all mails sent to the mailing list appears here... in this case in date order.
http://lists.centos.org/pipermail/centos/2011-January/date.html
To give you the benefit of the doubt I search there for your mail by subject and by the datestamp you allege.
It is not there - ergo it never arrived at the list.
OR it was silently dropped ... only the list manager and others in the know would know if mail from former subscribers is silently dropped.
My trust in RedHat went down when I learned they are not shipping all the SRPMs. Some say it is due to human error. If that is the case, why should I think they are better at backporting security fixes than at making sure a manifest of SRPMs is complete and correct?
Centos, SL and oracle enterprise linux are based on redhat.
Maybe you should start paying for SLES?
-- Eero
On Saturday, February 19, 2011 01:51:55 am Larry Vaden wrote:
My trust in RedHat went down when I learned they are not shipping all the SRPMs. Some say it is due to human error. If that is the case, why should I think they are better at backporting security fixes than at making sure a manifest of SRPMs is complete and correct?
To be fair to Red Hat, it might be different people doing the backporting than are responsible for the packaging. Might not, but might be.
And for their purposes a missing build requirement package isn't really a bug, since it builds fine for them, and they get the patched package out to their customers. And their customers won't typically be rebuilding from source RPM. So, like in any other job, the less important tasks and issues go to the bottom of the list, while the more important 'get the deliverable to the customer' takes top spot.
They have finite resources; they're going to use those finite resources frugally, and thus stay in business (which everybody using CentOS should want them to do).
On Fri, Feb 18, 2011 at 4:15 PM, Always Learning centos@g7.u22.net wrote:
From: Larry Vaden vaden@texoma.net Date: Sun, Jan 23, 2011 at 8:03 PM Subject: sources of bind-9.7.2-P3 rpms for Centos 4.8 and 5.5?
Our site running Centos 4.8 and 5.5 name servers was hacked with the result that www.yahoo.com is now within our /19 and causing some grief.
Don't understand what you mean by 'within our /19'. Have your IP ranges changed? If your Bind date is corrupt, why not re-install Centos and then restore the domains data from one of your regular backups?
Is it a wise business decision to use C 4.8 instead of C 5 or the latest which is C 5.5 ?
Google hasn't led me to an RPM for bind-9.7.2-P3 nor has the search facility at centos.org. However, it is obvious from said searches that Mandriva upgraded last year.
I believe C6 will include an updated Bind.
It's also in RHEL 5.6, so I expect it in CentOs 5.6, from the SRPM bind97-9.7.0-6.P2.el5.src.rpm. Grab that one from your nearest RedHat SRPM repository, such mirrors.kernel.org/redhat/, if you're in a rush.
An attempt to install bind-9.7.2-P3 from source yields the warning below the sig for both 4.8 and 5.5 machines.
WARNING WARNING WARNING WARNING WARNING ..........
Your OpenSSL crypto library may be vulnerable to ..... one or more of the the following known security .... flaws:
CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940.
It is recommended that you upgrade to OpenSSL version 0.9.8d/0.9.7l (or greater).
Well, on my C 5.5 desktop my OpenSSL is (yum info openssl)
Name : openssl Arch : x86_64 Version : 0.9.8e Release : 12.el5_5.7 Size : 3.4 M
The same version for i686.
Larry, why can't you install the latest OpenSSL ?
On C 5.5 the latest Bind is 9.3.6 (Release: 4.P1.el5_5.3)
If you really need the latest Bind and can not wait about a month for C6 why don't you use a different flavour of Linux? In business one can not be too sentimental and difficult decisions have to be made all the time.
With best regards,
Paul. England, EU.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Friday, February 18, 2011 04:15:28 pm Always Learning wrote:
From: Larry Vaden vaden@texoma.net Our site running Centos 4.8 and 5.5 name servers was hacked with the result that www.yahoo.com is now within our /19 and causing some grief.
Don't understand what you mean by 'within our /19'.
I think I do; he's an ISP, and apparently someone inside his address block (the CIDR notation /19; his actual block is publicly found by doing a quick nslookup of his domain name, noting the IP address of the DNS server(s) listed, and then a whois of the IP address of the DNS server(s). His /19 shows up) has hacked in some way the zone file(s) or the cache for his nameserver so that his customers, who would ordinarily use his DNS server as their recursive resolver, now see www.yahoo.com (among who knows what others) as pointing to a different address, the one inside his /19 (which I hope he has tracked and duly removed in grand Texas style), for the purpose of phishing.
Now whether this was done by actually hacking into his DNS server or by a cache poisoning attack or what, I don't know since those details Larry hasn't made public. And that's ok.
A fully up-to-date C4 or C5 should be covered when it comes to those sorts of things, but to prevent such things I would recommend to Larry that he use the great iptables tools that CentOS provides, or use some other iptables configurator, or simple hosts.allow and hosts.deny, to restrict the addresses that can actually ssh into his server, and only allow port 53 UDP and TCP traffic into and out of his DNS servers to his cutsomers.
If he has routers/switches with access lists I would apply those as a second layer of traffic filtering, going both ingress and egress relative to his DNS server. A DNS/BIND vulnerability alone won't kill you, other than the previously mentioned cache poisoning attacks (and those are mitigated with other well-known techniques); it's the TCP connection from the vulnerability shellcode back to the attacker's box that is the killer, and that's what the aggressive iptables/acls will do for you.
Hmmm, the Bastille hardening script might help you, but I don't know that for sure. DNS servers should only serve DNS, and the only other connections in or out should be tightly controlled.
Easier said than done, especially with limited staff and funds, I know, but still the best practice.
I say that having had a DNS server hit, on May 1, 1998, with a BIND 4 vulnerability. Got a quick education on BIND best practices, even though it is sometimes is tempting to 'do it later....'
I think I do; he's an ISP, and apparently someone inside his address block (the CIDR notation /19; his actual block is publicly found by doing a quick nslookup of his domain name, noting the IP address of the DNS server(s) listed, and then a whois of the IP address of the DNS server(s). His /19 shows up) has hacked in some way the zone file(s) or the cache for his nameserver so that his customers, who would ordinarily use his DNS server as their recursive resolver, now see www.yahoo.com (among who knows what others) as pointing to a different address, the one inside his /19 (which I hope he has tracked and duly removed in grand Texas style), for the purpose of phishing.
Now whether this was done by actually hacking into his DNS server or by a cache poisoning attack or what, I don't know since those details Larry hasn't made public. And that's ok.
That's what I assumed however given the vagueness I wasn't sure.
At this time I'm unaware of any attacks on Bind within current Centos 5 if it is a properly configured system (selinux enabled, bind chroot, iptables in place, etc) that would allow someone to mess with his zone files or other parts of bind.
As such if there is such a critical vulnerability it would be nice to get details.... especially how he is so intent on blaming Redhat and Bind.... on the other hand if he has misconfigured systems it's his own fault and he should stop blaming Redhat/CentOS.
If he is willing to discuss the details great!
If he is not I would strongly suggest he stop spamming the mailing lists with nonsense.
James
On Fri, 2011-02-18 at 18:32 -0500, Lamar Owen wrote:
On Friday, February 18, 2011 04:15:28 pm Always Learning wrote:
Don't understand what you mean by 'within our /19'.
I think I do; he's an ISP, and apparently someone inside his address block ... has hacked in some way the zone file(s) or the cache for his nameserver so that his customers, who would ordinarily use his DNS server as their recursive resolver, now see www.yahoo.com (among who knows what others) as pointing to a different address ....
Thank you for explaining Larry had his DNS servers hacked or poisoned.
.... to prevent such things I would recommend to Larry that he use the great iptables tools that CentOS provides ... ... to restrict the addresses that can actually ssh into his server, and only allow port 53 UDP and TCP traffic into and out of his DNS servers to his customers.
Agreed. IPtables is a very useful tool to block unauthorised accesses in and (heaven forbid) out of one's servers. Every server is screwed down to the barest minimum and every port that can be changed from its default is. No servers share the same non-standard port numbers. SSH access is limited to 3 static IP addresses. Aggressive blocking with IPtables can prevent a lot of time wasting aggro.
I also ban some Chinese blocks and even more Taiwan blocks from port 80 to reduce web hacking and lots of Taiwanese blocks from port 25.