[RADIATOR] ServerTACACSPLUS logging improvements
Heikki Vatiainen
hvn at open.com.au
Fri Jun 10 02:39:22 CDT 2016
On 8.6.2016 11.28, Hartmaier Alexander wrote:
>> Hmm, do you get these often? Also, does your configuration have FarmSize
>> enabled? This error occurs very early after the new connection has been
>> accepted. The code tries to figure out the address and port of the
>> client, but getpeername call fails.
> Yes, all the time. No FarmSize so far. So these are reverse dns lookups?
> Can we disable them?
These do not involve DNS. It's simply a socket function call that
returns information about the socket.
I tried reproducting this and noticed that a successful and normal TCP
three-way handshake followed by RST causes this on Linux. On OS X the
error is 'Invalid argument'.
Do you have a monitoring program scanning for or monitoring TCP listen
ports on your network? These scanners may be using the above method with
their checks (normal open + RST to close).
I also noticed that we can get the peer IP and port from accept directly
instead of calling getpeername(). What is done now is to check accept
return value for success and call getpeername() immediately after that.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list