(RADIATOR) Log message "Too many open files"

Mike McCauley mikem at open.com.au
Sun Feb 26 03:39:17 CST 2006 

Hello Robert,

Does this mean that all those TACACS authentication sessions are still in 
progress, or are they completed, but the TCP connection is still in place? ie 
what does netstat report for all those telnet client connections? 

Is it possible the TELNET client in your routers do not close the TCP 
connection properly/at all after authentication?

Is there some way you can distinguish between the scanning attempts and 
legitimate login attempts?

You dont mention what operating system you are using, but most operating 
systems enforce limits on the number of simultaneously open files for a 
single process. And most allow you to change that limit. So, if you can be 
sure that you can increase the open file limit until it is above the maximum 
number of simultaneous telnet sessions, you should do that.

I dont think this is a bug in Radiator, but if you could send me a (sanitized) 
excerpt from your Radiator log file showing what happens at the end of one of 
these bogus sessions, it would help me to decide. I am particularly 
interested if you see a 
TacacsplusConnection disconnected from ....
line for each connection.

Cheers.



On Sunday 26 February 2006 04:53, Patrick, Robert wrote:
> Seeking so find a way for Radiator to withstand brute force login
> attempts...
>
> During periodic network vulnerability scanning all of our switches and
> routers get hit with a ton of a telnet brute-force login attempts.
> These are all sent via TACACS to Radiator.  Soon after the scans start,
> I'm seeing the below error messages in /var/log/radius/logfile, and it
> doesn't seem to clear until I restart the process.
>
> What can I do so that Radiator avoids this failure, while still allowing
> the brute force attempts to be denied, meanwhile allowing any valid
> logins?  TACACS logins are checked against a flat file. lsof showed 4251
> lines, 1008 of which were TACACS connections.  Netstat output showed 447
> TACACS connections, out of 527 total lines.
>
> Sat Feb 25 13:06:39 2006: ERR: Could not accept on Tacacs listen socket:
> Too many open files
> Sat Feb 25 13:06:41 2006: ERR: Could not accept on Tacacs listen socket:
> Too many open files
>
>
> Thanks,
>
> -Rob Patrick

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list