> We have seen the ftp problem without the dictionary attack
>
> We have noticed the same error on our servers but the ftp
> server seems to keep working.
>
> From time to time also we saw the swatch Email that ftp is
> not responding.
>
> I have seen this on a BQ Nuonce and also on a Strongbolt(raq550).
>
> Recently the error appears on the logs, but swatch emails
> seem to have gone after updates maybe...
>
>
> Haven't had any customer complaints though.
>
> In both cases we still use databases and have the script
> running every minute to minimize dictionary attacks,
>
> Actually, in case of attacks the database does get screwed up
> even with the script, however, inside the script we added
>
> These lines which fix the problem (it seems that cron
> minutely is not enough to stop an attack, at least on a twin
> quad xeon 2gb ram did not help )
>
> Not very elegant but fixes everything when attacks are overnight (most
> cases)
>
> #snip added on the part when dovecot processes pass the limit
> /sbin/service dovecot stop
> killall -9 dovecot
> killall -9 dovecot-auth
> echo Recuperacion de Ataque de Diccionario envio de dbrecover
> /etc/init.d/dbrecover start
>
> #end snip
>
>
>
>
>
> HTH
>
> Rodrigo O
> Xnet
>
> -----Original Message-----
> From: Greg Kuhnert [mailto:greg.kuhnert (at mark) theanchoragesylvania.com]
> Sent: Martes, 18 de Marzo de 2008 02:25 p.m.
> To: Arthur Sherman
> Cc: coba-e (at mark) bluequartz.org
> Subject: [coba-e:12290] Re: The FTP server is not running
>
> Are you still using databases for your authentication? From
> my research, it's not the FTP server that shuts down during a
> dictionary attack, it's the link to the db files.
> There have been recent patches discussed here for dovecot.
> It's great that this app is being reviewed, but it is not
> where I believe the core of the problem lies. Ultimately, the
> PAM module for database authentication craps itself and
> refuses to auth any more users.
>
> Even a login via the BQ web gui using a normal (non admin)
> user fails when the box is in this state.
>
> One day, someone may find the bug in the PAM modules. Until
> then, we have the following solutions:
> 1. Move to password authentication - using the documentation
> on Brian's site, or 2. Use the script located at
> http://www.gregkuhnert.com/public:bq:dfix
> .... This does not fix the problem, but it does detect
> dictionary attacks, and blocks the source before the PAM modules die.
> 3. A combination of the above - Even if you migrate to flat
> files instead of databases, it's still a good idea to try to
> detect and respond to dictionary attacks.
>
> Regards,
> Greg.
>
>
>
> Arthur Sherman wrote:
> >> Hi Arthur,
> >> I had this a couple of times and in my case it was a dictionary
> >> attack. I guess the FTP server is one of the first things
> that shuts
> >> down if things get too hectic. Hope this helps.
> >> R.
> >>
> >
> > Howdy,
> >
> > This is what I think too.
> > Nevertheless, there aren't any signs of major attack, some dropped
> packets.
> > It feels like the ftp (and probably dovecot) are very tender...
> >
> >
> > Best,
> > --
> >
> > Arthur Sherman
Very similar to what I get.
The server doesn't uses DB auth, at least shouldn't.
My clients did complain about this, so I can not ignore the error. :(
Best,
--
Arthur Sherman