[[public:bq:dfix]]
 
Trace: » dfix
Table of Contents

dfix.sh

Background

A while back, BlueQuartz replaced the old POP/IMAP daemon with dovecot. Shortly after this happened, there were a number of reports of excessive CPU utilisation for people that were running dovecot.

The cause of the problem however does not appear to be dovecot itself. Out of the box, BlueQuartz uses db files to store non admin users, instead of using the more traditional password, group, and shadow files.

It appears that dovecot is able to handle more simultaneous authentication requests than the previous system. This appears to then cause a bottleneck in the PAM modules that are authenticating to the db files.

Solutions

There are two solutions available to keep your system stable. Or better still, you can actually implement both solutions, to keep your system stable and secure.

Option 1: Stop using db files

Follow the instructions at www.compassnetworks.com.au

NOTE: Since publishing this article, the problem with Dovecot has now been fixed. These instructions are provided for informational purposes only. BlueQuartz has decided to stick with PWDB. You should only convert to a flat file if you know what you are doing, and you are happy to live with the outcome - whatever that may be!

Option 2: Protect your system

The code listed below is designed to protect BlueQuartz systems from the problems described above. It will also stop dovecot if the maximum number of dovecot processes exceeds a threshold, and restarts it when the system returns to normal.

In addition to protecting dovecot, the script also looks at FTP and HTTP log files for any evidence of brute force attacks.

When it finds a a problem, it will temporarily block all traffic from the attacking IP address. This block will later be automatically be removed.

This code needs to be executed repeatedly by cron.

INSTALATION INSTRUCTIONS

dfix is now provided via NewLinQ. To get connected, please follow the instructions at http://www.compassnetworks.com.au/?page=newlinq

Once you have register, you will find dfix and denyhosts ready to install.

You can also fine-tune a few settings by editing the script. In the future, this will be able to be performed in the server gui if you have a Compass Networks security bundle.

Other points to note

There are a couple of optional command line options…

  • clear - This will remove all current blocks (in case of any major problems - a quick way to cleanup)
  • list - This will list all current active blocks.
  • trace - This option will list all current blocks, and also show you the log entries that caused the blocks.
  • When you use trace, you can also specify an IP address, if you want to look at the log entries for a single entry.
 
public/bq/dfix.txt · Last modified: 2009/04/04 04:19 by gregk
 
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki