OSSEC stops mailserver responding

  • Dim Git
  • 06/03/09
  • Offline
Posted: Wed, 2011-10-19 10:36

This is a little off topic for this forum but please bear with me.

I have spent the best part of three days trying to solve this problem and finally I have got a handle on it.

The cause of my problem appears to be OSSEC

The reason I ask here rather than elsewhere is because I wonder if it is related to WM/WM as I can’t find anyone elsewhere with a similar issue. Added to that is the fact that I know others here are running OSSEC because it has been recommended in these illustrious portals. :o)

With OSSEC running customers are unable to collect email from POP3 (IMAP untested). This doesn’t seem to affect everyone on that server (not had any complaints) but I know it affects at least three domains hosted on that box. If I use Pingability.com to test the DNS (also checks some other stuff) I get a number of errors like this :-

Error
Got an error when connecting to ns1.my-server.com/123.123.123.123 with a request for hosted-domain.com/ANY: SocketTimeoutException: Socket timeout on name server 123.123.123.123 for hosted-domain.com. 
 
Error
Got an error when connecting to ns1.my-server.com/123.123.123.123 with a request for ns1.my-server.com/CNAME: SocketTimeoutException: Socket timeout on name server 123.123.123.123 for ns1.my-server.com. 
 
Heads-up
Could not perform the CNAME check. SocketTimeoutException: Socket timeout on name server 123.123.123.123 for ns1.my-server.com. ErrorGot an error when connecting to ns1.my-server.com/123.123.123.123 with a request for hosted-domain.com/SOA: SocketTimeoutException: Socket timeout on name server 123.123.123.123 for hosted-domain.com. 
 
Error
The name server did not return any SOA records. This could indicate a 'lame' nameserver - one that is listed as authoratative, but does not return any information for the zone.
 
Error
Got an error when connecting to ns1.my-server.com/123.123.123.123 with a request for hosted-domain.com/NS: SocketTimeoutException: Socket timeout on name server 123.123.123.123 for hosted-domain.com. 
 
ErrorGot an error when connecting to ns1.my-server.com/123.123.123.123 with a request for www.hosted-domain.com/ANY: SocketTimeoutException: Socket timeout on name server 123.123.123.123 for www.hosted-domain.com.
 
Error
There was a problem while talking with the mail server. Got 'SocketTimeoutException: connect timed out'

If I stop OSSEC running, customers don’t have any errors and Pingability reports it all clean.

So, fellow Webminners any ideas ?

Thanks for reading and suffering an off topic post.

Tim

Operating system CentOS Linux 5.7
Webmin version 1.562
Virtualmin version 3.88 Pro


Howdy, Well, I'm not

  • andreychek
  • 01/05/09
  • Online Now
  • Wed, 2011-10-19 10:42

Howdy,

Well, I'm not familiar with OSSEC -- hopefully one of the folks who use it can chime in.

However, I'll offer that what you're running is a pretty standard DNS, Postfix, and Dovecot setup -- those services aren't doing anything unusual.

Also, the errors you're seeing suggest that it's a DNS problem of some sort. You may want to verify that OSSEC isn't doing anything that might interfere with DNS lookups, or BIND in general.

-Eric


Thanks Eric

  • Dim Git
  • 06/03/09
  • Offline
  • Fri, 2011-10-21 02:56

Thanks for replying Eric.

I have posted elsewhere about this but no solution there either.

I guess that nobody here who uses OSSEC has suffered the same problem. I will keep digging for a while yet but it looks like I might have to use some alternative.

Thanks again.


I've been using OSSEC for a

  • webwzrd
  • 07/23/08
  • Offline
  • Thu, 2011-11-03 13:53

I've been using OSSEC for a couple years now. Have you checked the OSSEC logs to see (verify) what it's doing to cause this?


Oops! Just noticed that I

  • Dim Git
  • 06/03/09
  • Offline
  • Mon, 2011-11-21 05:06

Oops!

Just noticed that I failed to reply, sorry Webwzrd.

In the end I gave up trying to use OSSEC. The The cause of my issues in the original post was that the IP numbers of that (and some other users) had been blocked by OSSEC and never removed. When I checked iptables there were thousands of entries in there.

Thanks for your advice though.