Article 11293 at 07/11/29 11:48:17 From: patricko (at mark) staff.singnet.com.sg Subject: [coba-e:11293] Re: sudden authentication problem

Index: [Article Count Order] [Thread]
Date:  Thu, 29 Nov 2007 10:44:09 +0800
From:  patricko <patricko (at mark) staff.singnet.com.sg>
Subject:  [coba-e:11293] Re: sudden authentication problem
To:  coba-e (at mark) bluequartz.org
Cc:  toodi4 (at mark) hotmail.com
Message-Id:  <20071129104409.2d6eab4f@patricko>
In-Reply-To:  <BAY135-W319EAA4A584DE254227F3682700 (at mark) phx.gbl>
References:  <BAY135-W319EAA4A584DE254227F3682700 (at mark) phx.gbl>
X-Mail-Count: 11293

Hi,



Please dont speculate. Dig ur logs and return the facts.


For Other Blues, I am using .db authentication for 2 year straight
 w/o any problem. The no. of site per server is > 1 thousand





### I always recommend removing POP3 loggin to .db, eg below ####
### Why? This will make DBRecover run faster (in /var/db) ...  when you have been strike by dick-sionary attack ####
 


cat /etc/pam.d/pop3

#%PAM-1.0
auth       requisite    /lib/security/pam_nologin.so
auth       requisite    /lib/security/pam_shells.so
#auth       required    /lib/security/pam_pwdb.so shadow nullok
#account    required    /lib/security/pam_pwdb.so
auth       required     /lib/security/pam_stack.so service=system-auth shadow nullok
account    required     /lib/security/pam_stack.so service=system-auth




Cheers
patrick



On Wed, 28 Nov 2007 17:45:23 -0800
Diana Saunders <toodi4 (at mark) hotmail.com> wrote:

> 
> I have a Centos BQ server which has been functioning fine for a while. Now suddenly today all authentication failed (email, admin, ftp).  I was able to log in through SSH and run dbrecover.  That fixed the problem briefly, but then it failed again.  I tried rebooting the server but same problem. It also seemed that many of the times I ran dbrecover it did not solve the problem, even temporarily.
> 
> Now it is the evening and the problem seems to have gone away for now.
> 
> My initial thought is that it was a dictionary attack causing this problem as I've run into this before.  However, while I could see obvious hacking attempts using email login attempts in the secure log, they did not seem to be very numerous. (I could be wrong as I don't know exactly how to determine the number).  In any case, during the several hours when this problem occurred, there didn't seem to be a heavy load on the server as I had experienced in the past with such attacks.
> 
> I know that other people have experienced a similar problem.  I have read Brian's instructions for converting the passwords to a flat file.  I'm not sure if that will resolve the problem I'm experiencing, or there is something else going on. Just curious if there is anything else I should be looking for.
> 
> _________________________________________________________________
> You keep typing, we keep giving. Download Messenger and join the i窶冦 Initiative now.
> http://im.live.com/messenger/im/home/?source=TAGLM