(RADIATOR) Log message "Too many open files"
Mike McCauley
mikem at open.com.au
Sun Apr 16 01:25:55 CDT 2006
Hello Robert,
Thanks for check the facts on this problem.
We have now added a workaround for this, so that the TCP session is closed by
Radiator after a TACACSPLUS authentication failure.
The fix is in the latest Radiator patch set.
Hope that helps.
Cheers.
On Sunday 16 April 2006 14:12, Patrick, Robert wrote:
> I have confirmed that many of the older Cisco switches on my network (we
> have hundreds of Cisco switches, many still run older IOS & CatOS
> versions) don't close their TCP sessions during login failures via
> TACACS. This results in Radiator having many open sessions when viewed
> by netstat. Restarting Radiator causes the sessions to quickly timeout
> and drop off.
>
> What can I do so Radiator is immune to this "bug" in the older Cisco
> devices? Is there a timeout value that can be set?
>
> As a workaround I'm considering restarting Radiator every hour via
> cron...kludge.
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
> Behalf Of Mike McCauley
> Sent: Sunday, February 26, 2006 4:39 AM
> To: Patrick, Robert
> Cc: radius email list
> Subject: Re: (RADIATOR) Log message "Too many open files"
>
> Hello Robert,
>
> Does this mean that all those TACACS authentication sessions are still
> in progress, or are they completed, but the TCP connection is still in
> place? ie what does netstat report for all those telnet client
> connections?
>
> Is it possible the TELNET client in your routers do not close the TCP
> connection properly/at all after authentication?
>
> Is there some way you can distinguish between the scanning attempts and
> legitimate login attempts?
>
> You dont mention what operating system you are using, but most operating
> systems enforce limits on the number of simultaneously open files for a
> single process. And most allow you to change that limit. So, if you can
> be sure that you can increase the open file limit until it is above the
> maximum number of simultaneous telnet sessions, you should do that.
>
> I dont think this is a bug in Radiator, but if you could send me a
> (sanitized) excerpt from your Radiator log file showing what happens at
> the end of one of these bogus sessions, it would help me to decide. I am
> particularly interested if you see a TacacsplusConnection disconnected
> from ....
> line for each connection.
>
> Cheers.
>
> On Sunday 26 February 2006 04:53, Patrick, Robert wrote:
> > Seeking so find a way for Radiator to withstand brute force login
> > attempts...
> >
> > During periodic network vulnerability scanning all of our switches and
> >
> > routers get hit with a ton of a telnet brute-force login attempts.
> > These are all sent via TACACS to Radiator. Soon after the scans
> > start, I'm seeing the below error messages in /var/log/radius/logfile,
> >
> > and it doesn't seem to clear until I restart the process.
> >
> > What can I do so that Radiator avoids this failure, while still
> > allowing the brute force attempts to be denied, meanwhile allowing any
> >
> > valid logins? TACACS logins are checked against a flat file. lsof
> > showed 4251 lines, 1008 of which were TACACS connections. Netstat
> > output showed 447 TACACS connections, out of 527 total lines.
> >
> > Sat Feb 25 13:06:39 2006: ERR: Could not accept on Tacacs listen
>
> socket:
> > Too many open files
> > Sat Feb 25 13:06:41 2006: ERR: Could not accept on Tacacs listen
>
> socket:
> > Too many open files
> >
> >
> > Thanks,
> >
> > -Rob Patrick
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list