(RADIATOR) Log message "Too many open files"

Mike McCauley mikem at open.com.au
Sun Apr 16 17:42:30 CDT 2006 

Hello Rob,

On Monday 17 April 2006 03:33, Patrick, Robert wrote:
> Thanks for the quick response!
>
> I've downloaded the updated patch set and will give it a try this
> evening.
>
> Any chance an updated RPM can be released soon?

We generally only make new RPMs with a new release, but you can make your own 
with the 'make rpm' target.

Cheers.

>
>
> -Rob Patrick
>
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Sunday, April 16, 2006 2:26 AM
> To: Patrick, Robert
> Cc: radius email list
> Subject: Re: (RADIATOR) Log message "Too many open files"
>
> Hello Robert,
>
> Thanks for check the facts on this problem.
> We have now added a workaround for this, so that the TCP session is
> closed by Radiator after a TACACSPLUS authentication failure.
> The fix is in the latest Radiator patch set.
> Hope that helps.
>
> Cheers.
>
> On Sunday 16 April 2006 14:12, Patrick, Robert wrote:
> > I have confirmed that many of the older Cisco switches on my network
> > (we have hundreds of Cisco switches, many still run older IOS & CatOS
> > versions) don't close their TCP sessions during login failures via
> > TACACS.  This results in Radiator having many open sessions when
>
> viewed
>
> > by netstat.   Restarting Radiator causes the sessions to quickly
>
> timeout
>
> > and drop off.
> >
> > What can I do so Radiator is immune to this "bug" in the older Cisco
> > devices?  Is there a timeout value that can be set?
> >
> > As a workaround I'm considering restarting Radiator every hour via
> > cron...kludge.
> >
> > -----Original Message-----
> > From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]
> > On Behalf Of Mike McCauley
> > Sent: Sunday, February 26, 2006 4:39 AM
> > To: Patrick, Robert
> > Cc: radius email list
> > Subject: Re: (RADIATOR) Log message "Too many open files"
> >
> > Hello Robert,
> >
> > Does this mean that all those TACACS authentication sessions are still
> >
> > in progress, or are they completed, but the TCP connection is still in
> >
> > place? ie what does netstat report for all those telnet client
> > connections?
> >
> > Is it possible the TELNET client in your routers do not close the TCP
> > connection properly/at all after authentication?
> >
> > Is there some way you can distinguish between the scanning attempts
> > and legitimate login attempts?
> >
> > You dont mention what operating system you are using, but most
> > operating systems enforce limits on the number of simultaneously open
> > files for a single process. And most allow you to change that limit.
> > So, if you can be sure that you can increase the open file limit until
> >
> > it is above the maximum number of simultaneous telnet sessions, you
>
> should do that.
>
> > I dont think this is a bug in Radiator, but if you could send me a
> > (sanitized) excerpt from your Radiator log file showing what happens
> > at the end of one of these bogus sessions, it would help me to decide.
> >
> > I am particularly interested if you see a TacacsplusConnection
> > disconnected from ....
> > line for each connection.
> >
> > Cheers.
> >
> > On Sunday 26 February 2006 04:53, Patrick, Robert wrote:
> > > Seeking so find a way for Radiator to withstand brute force login
> > > attempts...
> > >
> > > During periodic network vulnerability scanning all of our switches
> > > and
> > >
> > > routers get hit with a ton of a telnet brute-force login attempts.
> > > These are all sent via TACACS to Radiator.  Soon after the scans
> > > start, I'm seeing the below error messages in
> > > /var/log/radius/logfile,
> > >
> > > and it doesn't seem to clear until I restart the process.
> > >
> > > What can I do so that Radiator avoids this failure, while still
> > > allowing the brute force attempts to be denied, meanwhile allowing
> > > any
> > >
> > > valid logins?  TACACS logins are checked against a flat file. lsof
> > > showed 4251 lines, 1008 of which were TACACS connections.  Netstat
> > > output showed 447 TACACS connections, out of 527 total lines.
> > >
> > > Sat Feb 25 13:06:39 2006: ERR: Could not accept on Tacacs listen
> >
> > socket:
> > > Too many open files
> > > Sat Feb 25 13:06:41 2006: ERR: Could not accept on Tacacs listen
> >
> > socket:
> > > Too many open files
> > >
> > >
> > > Thanks,
> > >
> > > -Rob Patrick

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list