We have seen the ftp problem without the dictionary attack
We have noticed the same error on our servers but the ftp server seems to
keep working.
From time to time also we saw the swatch Email that ftp is not responding.
I have seen this on a BQ Nuonce and also on a Strongbolt(raq550).
Recently the error appears on the logs, but swatch emails seem to have gone
after updates maybe...
Haven't had any customer complaints though.
In both cases we still use databases and have the script running every
minute to minimize dictionary attacks,
Actually, in case of attacks the database does get screwed up even with the
script, however, inside the script we added
These lines which fix the problem (it seems that cron minutely is not enough
to stop an attack, at least on a twin quad xeon 2gb ram did not help )
Not very elegant but fixes everything when attacks are overnight (most
cases)
#snip added on the part when dovecot processes pass the limit
/sbin/service dovecot stop
killall -9 dovecot
killall -9 dovecot-auth
echo Recuperacion de Ataque de Diccionario envio de dbrecover
/etc/init.d/dbrecover start
#end snip
HTH
Rodrigo O
Xnet
-----Original Message-----
From: Greg Kuhnert [mailto:greg.kuhnert (at mark) theanchoragesylvania.com]
Sent: Martes, 18 de Marzo de 2008 02:25 p.m.
To: Arthur Sherman
Cc: coba-e (at mark) bluequartz.org
Subject: [coba-e:12290] Re: The FTP server is not running
Are you still using databases for your authentication? From my research,
it's not the FTP server that shuts down during a dictionary attack, it's the
link to the db files.
There have been recent patches discussed here for dovecot. It's great that
this app is being reviewed, but it is not where I believe the core of the
problem lies. Ultimately, the PAM module for database authentication craps
itself and refuses to auth any more users.
Even a login via the BQ web gui using a normal (non admin) user fails when
the box is in this state.
One day, someone may find the bug in the PAM modules. Until then, we have
the following solutions:
1. Move to password authentication - using the documentation on Brian's
site, or 2. Use the script located at
http://www.gregkuhnert.com/public:bq:dfix
.... This does not fix the problem, but it does detect dictionary attacks,
and blocks the source before the PAM modules die.
3. A combination of the above - Even if you migrate to flat files instead of
databases, it's still a good idea to try to detect and respond to dictionary
attacks.
Regards,
Greg.
Arthur Sherman wrote:
>> Hi Arthur,
>> I had this a couple of times and in my case it was a dictionary
>> attack. I guess the FTP server is one of the first things that shuts
>> down if things get too hectic. Hope this helps.
>> R.
>>
>
> Howdy,
>
> This is what I think too.
> Nevertheless, there aren't any signs of major attack, some dropped
packets.
> It feels like the ftp (and probably dovecot) are very tender...
>
>
> Best,
> --
>
> Arthur Sherman
>
>
>