(RADIATOR) Log message "Too many open files"

Sat Apr 15 23:12:53 CDT 2006

I have confirmed that many of the older Cisco switches on my network (we
have hundreds of Cisco switches, many still run older IOS & CatOS
versions) don't close their TCP sessions during login failures via
TACACS.  This results in Radiator having many open sessions when viewed
by netstat.   Restarting Radiator causes the sessions to quickly timeout
and drop off.

What can I do so Radiator is immune to this "bug" in the older Cisco
devices?  Is there a timeout value that can be set?

As a workaround I'm considering restarting Radiator every hour via
cron...kludge.

-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Mike McCauley
Sent: Sunday, February 26, 2006 4:39 AM
To: Patrick, Robert
Cc: radius email list
Subject: Re: (RADIATOR) Log message "Too many open files"

Hello Robert,

Does this mean that all those TACACS authentication sessions are still
in progress, or are they completed, but the TCP connection is still in
place? ie what does netstat report for all those telnet client
connections? 

Is it possible the TELNET client in your routers do not close the TCP
connection properly/at all after authentication?

Is there some way you can distinguish between the scanning attempts and
legitimate login attempts?

You dont mention what operating system you are using, but most operating
systems enforce limits on the number of simultaneously open files for a
single process. And most allow you to change that limit. So, if you can
be sure that you can increase the open file limit until it is above the
maximum number of simultaneous telnet sessions, you should do that.

I dont think this is a bug in Radiator, but if you could send me a
(sanitized) excerpt from your Radiator log file showing what happens at
the end of one of these bogus sessions, it would help me to decide. I am
particularly interested if you see a TacacsplusConnection disconnected
from ....
line for each connection.

Cheers.

On Sunday 26 February 2006 04:53, Patrick, Robert wrote:
> Seeking so find a way for Radiator to withstand brute force login 
> attempts...
>
> During periodic network vulnerability scanning all of our switches and

> routers get hit with a ton of a telnet brute-force login attempts.
> These are all sent via TACACS to Radiator.  Soon after the scans 
> start, I'm seeing the below error messages in /var/log/radius/logfile,

> and it doesn't seem to clear until I restart the process.
>
> What can I do so that Radiator avoids this failure, while still 
> allowing the brute force attempts to be denied, meanwhile allowing any

> valid logins?  TACACS logins are checked against a flat file. lsof 
> showed 4251 lines, 1008 of which were TACACS connections.  Netstat 
> output showed 447 TACACS connections, out of 527 total lines.
>
> Sat Feb 25 13:06:39 2006: ERR: Could not accept on Tacacs listen
socket:
> Too many open files
> Sat Feb 25 13:06:41 2006: ERR: Could not accept on Tacacs listen
socket:
> Too many open files
>
>
> Thanks,
>
> -Rob Patrick

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia
http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060416/fac3fbda/attachment.html>