Hello,
I am running Ngircd 21 on CentOS 6.5 64 bit. I compiled Ngircd from source with OpenSSL and PAM to provide the CIA triad (Confidentiality, Integrity and Authentication). I store my passwords with htpassword with crypt and a salt (crypt() alone is not safe enough).
I have noticed that my Ngircd daemon shuts down whenever a client or an ip makes a connection to my port and sends a bogus SSL handshake:
Mar 29 03:42:06 mail ngircd[29098]: Accepted connection 8 from "222.151.83.101:6728" on socket 7. Mar 29 03:42:06 mail ngircd[29098]: SSL protocol error: SSL_accept (error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) Mar 29 03:42:06 mail ngircd[29098]: Shutting down connection 8 (SSL accept error, closing socket) with "222.151.83.101:6728" ... Mar 29 03:42:06 mail ngircd[29098]: Client unregistered (connection 8): SSL accept error, closing socket. Mar 29 03:42:06 mail ngircd[29098]: Connection 8 with "222.151.83.101:6728" closed (in: 0.0k, out: 0.0k). Mar 29 03:43:06 mail ngircd[29098]: Server going down NOW! Mar 29 03:43:06 mail ngircd[29098]: Shutting down all listening sockets (1 total) ... Mar 29 03:43:06 mail ngircd[29098]: ngIRCd done, served 1 connection.
I automatically restart the Ngircd daemon with a check script but directly after it gets hit again:
Mar 29 03:44:01 mail ngircd[29168]: ngIRCd 21-IRCPLUS+PAM+SSL+SYSLOG+ZLIB-x86_64/unknown/linux-gnu started. Mar 29 03:44:01 mail ngircd[29168]: Using configuration file "/usr/local/etc/ngircd.conf" ... Mar 29 03:44:01 mail ngircd[29168]: Configuration option "DHFile" not set! Mar 29 03:44:01 mail ngircd[29168]: OpenSSL 1.0.1e-fips 11 Feb 2013 initialized. Mar 29 03:44:01 mail ngircd[29169]: Running as user ngircd(494), group ngircd(495), with PID 29169. Mar 29 03:44:01 mail ngircd[29169]: Not running with changed root directory. Mar 29 03:44:01 mail ngircd[29169]: IO subsystem: epoll (hint size 100, initial maxfd 100, masterfd 4). Mar 29 03:44:01 mail ngircd[29169]: Created pre-defined channel "#pragmasec". Mar 29 03:44:01 mail ngircd[29169]: Created pre-defined channel "#prive". Mar 29 03:44:01 mail ngircd[29169]: Now listening on [0.0.0.0]:6667 (socket 7). Mar 29 03:44:23 mail ngircd[29169]: Accepted connection 8 from "222.151.83.101:62835" on socket 7. Mar 29 03:44:23 mail ngircd[29169]: SSL protocol error: SSL_accept (error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) Mar 29 03:44:23 mail ngircd[29169]: Shutting down connection 8 (SSL accept error, closing socket) with "222.151.83.101:62835" ... Mar 29 03:44:23 mail ngircd[29169]: Client unregistered (connection 8): SSL accept error, closing socket. Mar 29 03:44:23 mail ngircd[29169]: Connection 8 with "222.151.83.101:62835" closed (in: 0.0k, out: 0.0k). Mar 29 03:45:23 mail ngircd[29169]: Server going down NOW! Mar 29 03:45:23 mail ngircd[29169]: Shutting down all listening sockets (1 total) ... Mar 29 03:45:23 mail ngircd[29169]: ngIRCd done, served 1 connection.
This continues all during the night and I notice that the connection is coming from Japan (if the IP is not spoofed or a Tor endpoint):
[user@mail ~]$ host 222.151.83.101 101.83.151.222.in-addr.arpa domain name pointer 222-151-083-101.jp.fiberbit.net.
I can offcourse block the ip but it seems Ngircd can not withstand the strange SSL connection from the client and shuts itself down.
My config is here: http://www.pragmasec.nl/ngircd.txt (its also a manual how to setup Ngircd + SSL + PAM with hashed+salted passwords - something I think a lot of users are looking for who are wanting PAM auth)
How can I fix this? Is it Ngircd related or related to my config?
THanks for any tips or help.
Regards,
Michiel