Ubuntu
vsftpd package

consider using max_clients in vsftpd default configuration

Bug #590034 reported by None
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
vsftpd (Ubuntu)
Triaged
Wishlist
Unassigned

Bug Description

Binary package hint: vsftpd

The default configuration file for vsftpd does not have any max_clients or max_per_ip limits. Earlier today my server hit the TCP/IP connection limit and had to be rebooted remotely when one user unintentionally spawned way too many FTP connections.

I'm not entirely sure that no limits are in place or even if the cause is as I've described, but I'll provide some idea of what went on at that time with a few logs.

vsftpd.log shows mostly connection attempts, the occasional GET and mostly the same line:

Fri Jun 4 17:52:03 2010 [pid 2] CONNECT: Client "99.239.180.252", "Connection refused: too many sessions for this address."

/var/log/messages and /var/log/kern.log show many page allocation errors, I'll attach a sample.
The following message also flooded the terminal: (copied from kern.log)

Jun 4 17:57:59 ubuntu kernel: [2837865.728645] INFO: task vsftpd:24138 blocked for more than 120 seconds.

The server was rebooted at 19:36 and a few minutes later, I noticed many (more than usual) vsftpd processes being spawned. I killed them and added the following lines to my vsftpd.conf:

max_clients=20
max_per_ip=10

and everything looks normal again-- although the user has disconnected.

I apologize if I haven't provided enough (or the right) information; please let me know and I'll attach any additional logs as necessary. Thanks.

Other:
Description: Ubuntu 10.04 LTS
Release: 10.04

vsftpd:
  Installed: 2.2.2-3ubuntu6
  Candidate: 2.2.2-3ubuntu6
  Version table:
 *** 2.2.2-3ubuntu6 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status

Linux ubuntu 2.6.32-21-server #32-Ubuntu SMP Fri Apr 16 09:17:34 UTC 2010 x86_64 GNU/Linux

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: vsftpd 2.2.2-3ubuntu6
ProcVersionSignature: Ubuntu 2.6.32-21.32-server 2.6.32.11+drm33.2
Uname: Linux 2.6.32-21-server x86_64
Architecture: amd64
Date: Sat Jun 5 01:06:46 2010
ProcEnviron:
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: vsftpd

Revision history for this message
None (deactivated-deactivatedaccount) wrote :
Revision history for this message
None (deactivated-deactivatedaccount) wrote :
Jamie Strandboge (jdstrand)
visibility: private → public
Revision history for this message
Chuck Short (zulcss) wrote :

Ill revisit this in maverick.

chuck

Changed in vsftpd (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unmarking as a security bug. This is a hardening feature, not a problem in an of itself and there is probably no sane default for max_clients.

security vulnerability: yes → no
summary: - vsftpd default configuration may be susceptible to DoS
+ consider using max_clients in vsftpd default configuration
Changed in vsftpd (Ubuntu):
status: Confirmed → Triaged
assignee: nobody → Canonical Server Team (canonical-server)
Dave Walker (davewalker)
Changed in vsftpd (Ubuntu):
assignee: Canonical Server Team (canonical-server) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.