thr3ads.net - dovecot - dovecot auth using 100% CPU [Jun 2015]

If this information is useful, please help other people find it:
Share via:

Edward Betts

2015-Jun-21 09:41 UTC

dovecot auth using 100% CPU

Every few days I find that dovecot auth is using all my CPU.

This is from dovecot 2.2.13, I've just upgraded to 2.2.18

strace -r -p 17956 output:

Process 17956 attached
     0.000000 lseek(19, 0, SEEK_CUR)    = -1 ESPIPE (Illegal seek)
     0.000057 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
     0.000043 epoll_ctl(15, EPOLL_CTL_ADD, 19,
{EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928, u64=140128453618224}}) = 0
     0.000040 write(19, "VERSION\tauth-worker\t1\t0\nDBHASH\t5"...,
97) = -1 EPIPE (Broken pipe)
     0.000035 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=17956,
si_uid=108} ---
     0.000020 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928,
u64=140128453618224}}}, 14, 12614) = 1
     0.000031 read(19, "", 8192)        = 0
     0.000026 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
     0.000027 close(19)                 = 0
     0.000029 socket(PF_LOCAL, SOCK_STREAM, 0) = 19
     0.000027 fcntl(19, F_GETFL)        = 0x2 (flags O_RDWR)
     0.000028 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0
     0.000029 connect(19, {sa_family=AF_LOCAL,
sun_path="auth-worker"}, 110) = 0
     0.000033 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
     0.000033 lseek(19, 0, SEEK_CUR)    = -1 ESPIPE (Illegal seek)
     0.000026 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
     0.000030 epoll_ctl(15, EPOLL_CTL_ADD, 19,
{EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928, u64=140128453618224}}) = 0
     0.000035 write(19, "VERSION\tauth-worker\t1\t0\nDBHASH\t5"...,
97) = -1 EPIPE (Broken pipe)
     0.000029 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=17956,
si_uid=108} ---
     0.000015 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928,
u64=140128453618224}}}, 14, 12614) = 1
     0.000031 read(19, "", 8192)        = 0
     0.000026 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
     0.000027 close(19)                 = 0
     0.000028 socket(PF_LOCAL, SOCK_STREAM, 0) = 19
     0.000036 fcntl(19, F_GETFL)        = 0x2 (flags O_RDWR)
     0.000026 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0
     0.000024 connect(19, {sa_family=AF_LOCAL,
sun_path="auth-worker"}, 110) = 0
     0.000034 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
     0.000030 lseek(19, 0, SEEK_CUR)    = -1 ESPIPE (Illegal seek)
     0.000025 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
     0.000031 epoll_ctl(15, EPOLL_CTL_ADD, 19,
{EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928, u64=140128453618224}}) = 0
     0.000036 write(19, "VERSION\tauth-worker\t1\t0\nDBHASH\t5"...,
97) = -1 EPIPE (Broken pipe)
     0.000030 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=17956,
si_uid=108} ---
     0.000016 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928,
u64=140128453618224}}}, 14, 12614) = 1
     0.000031 read(19, "", 8192)        = 0
     0.000027 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
     0.000028 close(19)                 = 0

Any ideas what's wrong? The machine is running Debian.
-- 
Edward.

Jorge Bastos

2015-Jun-21 10:23 UTC

head link

dovecot auth using 100% CPU

What do you see in the logs?
My guess is that someone is trying a brute force auth against you,
> -----Original Message-----
> From: dovecot [mailto:dovecot-bounces at dovecot.org] On Behalf Of Edward
> Betts
> Sent: domingo, 21 de Junho de 2015 10:42
> To: dovecot at dovecot.org
> Subject: dovecot auth using 100% CPU
> 
> Every few days I find that dovecot auth is using all my CPU.
> 
> This is from dovecot 2.2.13, I've just upgraded to 2.2.18
> 
> strace -r -p 17956 output:
> 
> Process 17956 attached
>      0.000000 lseek(19, 0, SEEK_CUR)    = -1 ESPIPE (Illegal seek)
>      0.000057 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
>      0.000043 epoll_ctl(15, EPOLL_CTL_ADD, 19,
> {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928,
> u64=140128453618224}}) = 0
>      0.000040 write(19,
"VERSION\tauth-worker\t1\t0\nDBHASH\t5"..., 97)
> = -1 EPIPE (Broken pipe)
>      0.000035 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER,
> si_pid=17956, si_uid=108} ---
>      0.000020 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928,
> u64=140128453618224}}}, 14, 12614) = 1
>      0.000031 read(19, "", 8192)        = 0
>      0.000026 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
>      0.000027 close(19)                 = 0
>      0.000029 socket(PF_LOCAL, SOCK_STREAM, 0) = 19
>      0.000027 fcntl(19, F_GETFL)        = 0x2 (flags O_RDWR)
>      0.000028 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0
>      0.000029 connect(19, {sa_family=AF_LOCAL,
sun_path="auth-worker"},
> 110) = 0
>      0.000033 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
>      0.000033 lseek(19, 0, SEEK_CUR)    = -1 ESPIPE (Illegal seek)
>      0.000026 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
>      0.000030 epoll_ctl(15, EPOLL_CTL_ADD, 19,
> {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928,
> u64=140128453618224}}) = 0
>      0.000035 write(19,
"VERSION\tauth-worker\t1\t0\nDBHASH\t5"..., 97)
> = -1 EPIPE (Broken pipe)
>      0.000029 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER,
> si_pid=17956, si_uid=108} ---
>      0.000015 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928,
> u64=140128453618224}}}, 14, 12614) = 1
>      0.000031 read(19, "", 8192)        = 0
>      0.000026 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
>      0.000027 close(19)                 = 0
>      0.000028 socket(PF_LOCAL, SOCK_STREAM, 0) = 19
>      0.000036 fcntl(19, F_GETFL)        = 0x2 (flags O_RDWR)
>      0.000026 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0
>      0.000024 connect(19, {sa_family=AF_LOCAL,
sun_path="auth-worker"},
> 110) = 0
>      0.000034 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
>      0.000030 lseek(19, 0, SEEK_CUR)    = -1 ESPIPE (Illegal seek)
>      0.000025 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
>      0.000031 epoll_ctl(15, EPOLL_CTL_ADD, 19,
> {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928,
> u64=140128453618224}}) = 0
>      0.000036 write(19,
"VERSION\tauth-worker\t1\t0\nDBHASH\t5"..., 97)
> = -1 EPIPE (Broken pipe)
>      0.000030 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER,
> si_pid=17956, si_uid=108} ---
>      0.000016 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928,
> u64=140128453618224}}}, 14, 12614) = 1
>      0.000031 read(19, "", 8192)        = 0
>      0.000027 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
>      0.000028 close(19)                 = 0
> 
> Any ideas what's wrong? The machine is running Debian.
> --
> Edward.

Marcus Rueckert

2015-Jun-21 10:26 UTC

head link

dovecot auth using 100% CPU

On 2015-06-21 10:41:48 +0100, Edward Betts wrote:>      0.000040 write(19,
"VERSION\tauth-worker\t1\t0\nDBHASH\t5"..., 97) = -1 EPIPE (Broken
pipe)
>      0.000035 write(19,
"VERSION\tauth-worker\t1\t0\nDBHASH\t5"..., 97) = -1 EPIPE (Broken
pipe)
something is fishy in your setup

    darix

-- 
           openSUSE - SUSE Linux is my linux
               openSUSE is good for you
                   www.opensuse.org

Edward Betts

2015-Jun-23 12:41 UTC

head link

dovecot auth using 100% CPU

Jorge Bastos <mysql.jorge at decimal.pt> wrote:> What do you see in the logs?
> My guess is that someone is trying a brute force auth against you,
Thanks Jorge, I think this is the answer. I'm using dovecot for exim4 SMTP
authentication. The exim4 logs show brute force attacks.

-- 
Edward.

Seemingly Similar Threads

Search for more possibly parallel threads

dovecot - Jun 2015 - dovecot auth using 100% CPU

dovecot auth using 100% CPU

dovecot auth using 100% CPU

dovecot auth using 100% CPU

dovecot auth using 100% CPU

Seemingly Similar Threads