Hello,
I am running Ngircd 21 on CentOS 6.5 64 bit. I compiled Ngircd from source with OpenSSL and PAM to provide the CIA triad (Confidentiality, Integrity and Authentication). I store my passwords with htpassword with crypt and a salt (crypt() alone is not safe enough).
I have noticed that my Ngircd daemon shuts down whenever a client or an ip makes a connection to my port and sends a bogus SSL handshake:
Mar 29 03:42:06 mail ngircd[29098]: Accepted connection 8 from "222.151.83.101:6728" on socket 7. Mar 29 03:42:06 mail ngircd[29098]: SSL protocol error: SSL_accept (error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) Mar 29 03:42:06 mail ngircd[29098]: Shutting down connection 8 (SSL accept error, closing socket) with "222.151.83.101:6728" ... Mar 29 03:42:06 mail ngircd[29098]: Client unregistered (connection 8): SSL accept error, closing socket. Mar 29 03:42:06 mail ngircd[29098]: Connection 8 with "222.151.83.101:6728" closed (in: 0.0k, out: 0.0k). Mar 29 03:43:06 mail ngircd[29098]: Server going down NOW! Mar 29 03:43:06 mail ngircd[29098]: Shutting down all listening sockets (1 total) ... Mar 29 03:43:06 mail ngircd[29098]: ngIRCd done, served 1 connection.
I automatically restart the Ngircd daemon with a check script but directly after it gets hit again:
Mar 29 03:44:01 mail ngircd[29168]: ngIRCd 21-IRCPLUS+PAM+SSL+SYSLOG+ZLIB-x86_64/unknown/linux-gnu started. Mar 29 03:44:01 mail ngircd[29168]: Using configuration file "/usr/local/etc/ngircd.conf" ... Mar 29 03:44:01 mail ngircd[29168]: Configuration option "DHFile" not set! Mar 29 03:44:01 mail ngircd[29168]: OpenSSL 1.0.1e-fips 11 Feb 2013 initialized. Mar 29 03:44:01 mail ngircd[29169]: Running as user ngircd(494), group ngircd(495), with PID 29169. Mar 29 03:44:01 mail ngircd[29169]: Not running with changed root directory. Mar 29 03:44:01 mail ngircd[29169]: IO subsystem: epoll (hint size 100, initial maxfd 100, masterfd 4). Mar 29 03:44:01 mail ngircd[29169]: Created pre-defined channel "#pragmasec". Mar 29 03:44:01 mail ngircd[29169]: Created pre-defined channel "#prive". Mar 29 03:44:01 mail ngircd[29169]: Now listening on [0.0.0.0]:6667 (socket 7). Mar 29 03:44:23 mail ngircd[29169]: Accepted connection 8 from "222.151.83.101:62835" on socket 7. Mar 29 03:44:23 mail ngircd[29169]: SSL protocol error: SSL_accept (error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) Mar 29 03:44:23 mail ngircd[29169]: Shutting down connection 8 (SSL accept error, closing socket) with "222.151.83.101:62835" ... Mar 29 03:44:23 mail ngircd[29169]: Client unregistered (connection 8): SSL accept error, closing socket. Mar 29 03:44:23 mail ngircd[29169]: Connection 8 with "222.151.83.101:62835" closed (in: 0.0k, out: 0.0k). Mar 29 03:45:23 mail ngircd[29169]: Server going down NOW! Mar 29 03:45:23 mail ngircd[29169]: Shutting down all listening sockets (1 total) ... Mar 29 03:45:23 mail ngircd[29169]: ngIRCd done, served 1 connection.
This continues all during the night and I notice that the connection is coming from Japan (if the IP is not spoofed or a Tor endpoint):
[user@mail ~]$ host 222.151.83.101 101.83.151.222.in-addr.arpa domain name pointer 222-151-083-101.jp.fiberbit.net.
I can offcourse block the ip but it seems Ngircd can not withstand the strange SSL connection from the client and shuts itself down.
My config is here: http://www.pragmasec.nl/ngircd.txt (its also a manual how to setup Ngircd + SSL + PAM with hashed+salted passwords - something I think a lot of users are looking for who are wanting PAM auth)
How can I fix this? Is it Ngircd related or related to my config?
THanks for any tips or help.
Regards,
Michiel
I think I fixed it by commenting one of the following options:
;ConnectRetry = 60 ;IdleTimeout = 60 ;PingTimeout = 120 ;PongTimeout = 20 ;RequireAuthPing = yes
At least connections are now stable and Ngircd does not shutdown itself anymore.
Do you know which option could have caused the automatic shutdown of Ngircd?
Kind regards,
Michiel
On 03/29/2014 12:37 PM, Michiel van Es wrote:
Hello,
I am running Ngircd 21 on CentOS 6.5 64 bit. I compiled Ngircd from source with OpenSSL and PAM to provide the CIA triad (Confidentiality, Integrity and Authentication). I store my passwords with htpassword with crypt and a salt (crypt() alone is not safe enough).
I have noticed that my Ngircd daemon shuts down whenever a client or an ip makes a connection to my port and sends a bogus SSL handshake:
Mar 29 03:42:06 mail ngircd[29098]: Accepted connection 8 from "222.151.83.101:6728" on socket 7. Mar 29 03:42:06 mail ngircd[29098]: SSL protocol error: SSL_accept (error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) Mar 29 03:42:06 mail ngircd[29098]: Shutting down connection 8 (SSL accept error, closing socket) with "222.151.83.101:6728" ... Mar 29 03:42:06 mail ngircd[29098]: Client unregistered (connection 8): SSL accept error, closing socket. Mar 29 03:42:06 mail ngircd[29098]: Connection 8 with "222.151.83.101:6728" closed (in: 0.0k, out: 0.0k). Mar 29 03:43:06 mail ngircd[29098]: Server going down NOW! Mar 29 03:43:06 mail ngircd[29098]: Shutting down all listening sockets (1 total) ... Mar 29 03:43:06 mail ngircd[29098]: ngIRCd done, served 1 connection.
I automatically restart the Ngircd daemon with a check script but directly after it gets hit again:
Mar 29 03:44:01 mail ngircd[29168]: ngIRCd 21-IRCPLUS+PAM+SSL+SYSLOG+ZLIB-x86_64/unknown/linux-gnu started. Mar 29 03:44:01 mail ngircd[29168]: Using configuration file "/usr/local/etc/ngircd.conf" ... Mar 29 03:44:01 mail ngircd[29168]: Configuration option "DHFile" not set! Mar 29 03:44:01 mail ngircd[29168]: OpenSSL 1.0.1e-fips 11 Feb 2013 initialized. Mar 29 03:44:01 mail ngircd[29169]: Running as user ngircd(494), group ngircd(495), with PID 29169. Mar 29 03:44:01 mail ngircd[29169]: Not running with changed root directory. Mar 29 03:44:01 mail ngircd[29169]: IO subsystem: epoll (hint size 100, initial maxfd 100, masterfd 4). Mar 29 03:44:01 mail ngircd[29169]: Created pre-defined channel "#pragmasec". Mar 29 03:44:01 mail ngircd[29169]: Created pre-defined channel "#prive". Mar 29 03:44:01 mail ngircd[29169]: Now listening on [0.0.0.0]:6667 (socket 7). Mar 29 03:44:23 mail ngircd[29169]: Accepted connection 8 from "222.151.83.101:62835" on socket 7. Mar 29 03:44:23 mail ngircd[29169]: SSL protocol error: SSL_accept (error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) Mar 29 03:44:23 mail ngircd[29169]: Shutting down connection 8 (SSL accept error, closing socket) with "222.151.83.101:62835" ... Mar 29 03:44:23 mail ngircd[29169]: Client unregistered (connection 8): SSL accept error, closing socket. Mar 29 03:44:23 mail ngircd[29169]: Connection 8 with "222.151.83.101:62835" closed (in: 0.0k, out: 0.0k). Mar 29 03:45:23 mail ngircd[29169]: Server going down NOW! Mar 29 03:45:23 mail ngircd[29169]: Shutting down all listening sockets (1 total) ... Mar 29 03:45:23 mail ngircd[29169]: ngIRCd done, served 1 connection.
This continues all during the night and I notice that the connection is coming from Japan (if the IP is not spoofed or a Tor endpoint):
[user@mail ~]$ host 222.151.83.101 101.83.151.222.in-addr.arpa domain name pointer 222-151-083-101.jp.fiberbit.net.
I can offcourse block the ip but it seems Ngircd can not withstand the strange SSL connection from the client and shuts itself down.
My config is here: http://www.pragmasec.nl/ngircd.txt (its also a manual how to setup Ngircd + SSL + PAM with hashed+salted passwords - something I think a lot of users are looking for who are wanting PAM auth)
How can I fix this? Is it Ngircd related or related to my config?
THanks for any tips or help.
Regards,
Michiel _______________________________________________
ngIRCd Mailing List: ngIRCd-ML@arthur.barton.de http://arthur.barton.de/mailman/listinfo/ngircd-ml
Hi Michiel!
Am 2014-03-29 18:20, schrieb Michiel van Es:
I think I fixed it by commenting one of the following options:
;ConnectRetry = 60 ;IdleTimeout = 60 ;PingTimeout = 120 ;PongTimeout = 20 ;RequireAuthPing = yesAt least connections are now stable and Ngircd does not shutdown itself anymore.
Do you know which option could have caused the automatic shutdown of Ngircd?
Did you check the description of these options? ;-)
From ./doc/sample-ngircd.conf:
# Number of seconds after which the whole daemon should shutdown when # no connections are left active after handling at least one client # (0: never, which is the default). # This can be useful for testing or when ngIRCd is started using # "socket activation" with systemd(8), for example. ;IdleTimeout = 0
And you used "IdleTimeout=60" -- so ngIRCd exited itself when the last Connection has been terminated (for whatever reason) and no new connection came in within 60 seconds.
So the behaviour you reported is expected. Because you configured it to behave like this ;-)
Regards Alex
Hi Alexander,
I feel stupid, I admin I did not read the documentation. I expected it was meant for Idle client connections and that it shutdowns the client connections which are idle. Thanks for pointing this out to me, a classic RTFM would helped me ;)
Regards,
Michiel
Op Mar 30, 2014 om 6:36 AM heeft Alexander Barton alex@barton.de het volgende geschreven:
Hi Michiel!
Am 2014-03-29 18:20, schrieb Michiel van Es:
I think I fixed it by commenting one of the following options: ;ConnectRetry = 60 ;IdleTimeout = 60 ;PingTimeout = 120 ;PongTimeout = 20 ;RequireAuthPing = yes At least connections are now stable and Ngircd does not shutdown itself anymore. Do you know which option could have caused the automatic shutdown of Ngircd?
Did you check the description of these options? ;-)
From ./doc/sample-ngircd.conf:
# Number of seconds after which the whole daemon should shutdown when # no connections are left active after handling at least one client # (0: never, which is the default). # This can be useful for testing or when ngIRCd is started using # "socket activation" with systemd(8), for example. ;IdleTimeout = 0
And you used "IdleTimeout=60" -- so ngIRCd exited itself when the last Connection has been terminated (for whatever reason) and no new connection came in within 60 seconds.
So the behaviour you reported is expected. Because you configured it to behave like this ;-)
Regards Alex
ngIRCd Mailing List: ngIRCd-ML@arthur.barton.de http://arthur.barton.de/mailman/listinfo/ngircd-ml
Michiel van Es wrote...
I have noticed that my Ngircd daemon shuts down whenever a client or an ip makes a connection to my port and sends a bogus SSL handshake:
That doesn't look good ...
Mar 29 03:42:06 mail ngircd[29098]: SSL protocol error: SSL_accept (error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) Mar 29 03:43:06 mail ngircd[29098]: Server going down NOW!
There are exactly 60 seconds between the failed handshake and ngircd shutting down. That's no coincidence I'm sure. So, referring to your other mail, I'd play with the IdleTimeout setting to see if there's a pattern.
Even more interesting was to see the actual incoming data, so please try tcpdump if it's still happening.
This continues all during the night and I notice that the connection is coming from Japan (if the IP is not spoofed or a Tor endpoint):
Given the nature of TCP, spoofing the IP requires way more technology then any (assumed) Joe R. Intruder has available. However, I don't see much sense in making the address public: This still might be an innocent bystander who doesn't deserve it. And if it's an attack aimed at you, you shouldn't give that detailled public feedback.
my 2¢,
Christoph
On 03/29/2014 06:46 PM, Christoph Biedl wrote:
Michiel van Es wrote...
I have noticed that my Ngircd daemon shuts down whenever a client or an ip makes a connection to my port and sends a bogus SSL handshake:
That doesn't look good ...
Mar 29 03:42:06 mail ngircd[29098]: SSL protocol error: SSL_accept (error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) Mar 29 03:43:06 mail ngircd[29098]: Server going down NOW!
There are exactly 60 seconds between the failed handshake and ngircd shutting down. That's no coincidence I'm sure. So, referring to your other mail, I'd play with the IdleTimeout setting to see if there's a pattern.
Ok, will do.
Even more interesting was to see the actual incoming data, so please try tcpdump if it's still happening.
I think it is a plain IRC connect against my SSL Ngircd who drops the connection.
This continues all during the night and I notice that the connection is coming from Japan (if the IP is not spoofed or a Tor endpoint):
Given the nature of TCP, spoofing the IP requires way more technology then any (assumed) Joe R. Intruder has available. However, I don't see much sense in making the address public: This still might be an innocent bystander who doesn't deserve it. And if it's an attack aimed at you, you shouldn't give that detailled public feedback.
An innocent bystander using my IRC server sounds like a contradiction - I have never accidentally accessed a specific IRC server (unless I might be infected by malware), I know who can access my server and from where ;) Nevertheless it does not seem related to my shutdowns, I guess the IdleTimeout settings will the problem maker.
my 2¢,
Christoph
Michiel
ngIRCd Mailing List: ngIRCd-ML@arthur.barton.de http://arthur.barton.de/mailman/listinfo/ngircd-ml
-
Alexander Barton -
Christoph Biedl -
Michiel van Es