Article 11294 at 07/11/29 12:31:31 From: toodi4 (at mark) hotmail.com Subject: [coba-e:11294] Re: sudden authentication problem

Index: [Article Count Order] [Thread]
Date:  Wed, 28 Nov 2007 19:31:21 -0800
From:  Diana Saunders <toodi4 (at mark) hotmail.com>
Subject:  [coba-e:11294] Re: sudden authentication problem
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <BAY135-W417806F0BF27BDEB9A951E82700 (at mark) phx.gbl>
In-Reply-To:  <20071129104409.2d6eab4f@patricko>
References:  <BAY135-W319EAA4A584DE254227F3682700 (at mark) phx.gbl> <20071129104409.2d6eab4f (at mark) patricko>
X-Mail-Count: 11294


e a Centos BQ server which has been functioning fine for a while. Now suddenly today all authentication failed (email, admin, ftp).  I was able to log in through SSH and run dbrecover.  That fixed the problem briefly, but then it failed again.  I tried rebooting the server but same problem. It also seemed that many of the times I ran dbrecover it did not solve the problem, even temporarily.
> > 
> > Now it is the evening and the problem seems to have gone away for now.
> > 
> > My initial thought is that it was a dictionary attack causing this problem as I've run into this before.  However, while I could see obvious hacking attempts using email login attempts in the secure log, they did not seem to be very numerous. (I could be wrong as I don't know exactly how to determine the number).  In any case, during the several hours when this problem occurred, there didn't seem to be a heavy load on the server as I had experienced in the past with such attacks.
> > 
> > I know that other people have experienced a similar problem.  I have read Brian's instructions for converting the passwords to a flat file.  I'm not sure if that will resolve the problem I'm experiencing, or there is something else going on. Just curious if there is anything else I should be looking for.
> 
> Please dont speculate. Dig ur logs and return the facts.
> 
> 
> For Other Blues, I am using .db authentication for 2 year straight
>  w/o any problem. The no. of site per server is > 1 thousand
> 
> 
> ### I always recommend removing POP3 loggin to .db, eg below ####
> ### Why? This will make DBRecover run faster (in /var/db) ...  when you have been strike by dick-sionary attack ####
>  
> 

Well the problem has resurfaced, and there is no attack going on now.   And dbrecover doesn't seem to be solving the problem either.  The problem did go away after about 15 minutes. I monitored it and did noy see any attacks.I'm about to transfer sites to another server, but am reluctant to do that unless I know what the problem is.

_________________________________________________________________
Connect and share in new ways with Windows Live.
http://www.windowslive.com/connect.html?ocid=TXT_TAGLM_Wave2_newways_112007