dovecot auth using 100% CPU
Jorge Bastos
mysql.jorge at decimal.pt
Sun Jun 21 10:23:50 UTC 2015
What do you see in the logs?
My guess is that someone is trying a brute force auth against you,
> -----Original Message-----
> From: dovecot [mailto:dovecot-bounces at dovecot.org] On Behalf Of Edward
> Betts
> Sent: domingo, 21 de Junho de 2015 10:42
> To: dovecot at dovecot.org
> Subject: dovecot auth using 100% CPU
>
> Every few days I find that dovecot auth is using all my CPU.
>
> This is from dovecot 2.2.13, I've just upgraded to 2.2.18
>
> strace -r -p 17956 output:
>
> Process 17956 attached
> 0.000000 lseek(19, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
> 0.000057 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
> 0.000043 epoll_ctl(15, EPOLL_CTL_ADD, 19,
> {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928,
> u64=140128453618224}}) = 0
> 0.000040 write(19, "VERSION\tauth-worker\t1\t0\nDBHASH\t5"..., 97)
> = -1 EPIPE (Broken pipe)
> 0.000035 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER,
> si_pid=17956, si_uid=108} ---
> 0.000020 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928,
> u64=140128453618224}}}, 14, 12614) = 1
> 0.000031 read(19, "", 8192) = 0
> 0.000026 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
> 0.000027 close(19) = 0
> 0.000029 socket(PF_LOCAL, SOCK_STREAM, 0) = 19
> 0.000027 fcntl(19, F_GETFL) = 0x2 (flags O_RDWR)
> 0.000028 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> 0.000029 connect(19, {sa_family=AF_LOCAL, sun_path="auth-worker"},
> 110) = 0
> 0.000033 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
> 0.000033 lseek(19, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
> 0.000026 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
> 0.000030 epoll_ctl(15, EPOLL_CTL_ADD, 19,
> {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928,
> u64=140128453618224}}) = 0
> 0.000035 write(19, "VERSION\tauth-worker\t1\t0\nDBHASH\t5"..., 97)
> = -1 EPIPE (Broken pipe)
> 0.000029 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER,
> si_pid=17956, si_uid=108} ---
> 0.000015 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928,
> u64=140128453618224}}}, 14, 12614) = 1
> 0.000031 read(19, "", 8192) = 0
> 0.000026 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
> 0.000027 close(19) = 0
> 0.000028 socket(PF_LOCAL, SOCK_STREAM, 0) = 19
> 0.000036 fcntl(19, F_GETFL) = 0x2 (flags O_RDWR)
> 0.000026 fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> 0.000024 connect(19, {sa_family=AF_LOCAL, sun_path="auth-worker"},
> 110) = 0
> 0.000034 fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
> 0.000030 lseek(19, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
> 0.000025 getsockname(19, {sa_family=AF_LOCAL, NULL}, [2]) = 0
> 0.000031 epoll_ctl(15, EPOLL_CTL_ADD, 19,
> {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP, {u32=850618928,
> u64=140128453618224}}) = 0
> 0.000036 write(19, "VERSION\tauth-worker\t1\t0\nDBHASH\t5"..., 97)
> = -1 EPIPE (Broken pipe)
> 0.000030 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER,
> si_pid=17956, si_uid=108} ---
> 0.000016 epoll_wait(15, {{EPOLLIN|EPOLLHUP, {u32=850618928,
> u64=140128453618224}}}, 14, 12614) = 1
> 0.000031 read(19, "", 8192) = 0
> 0.000027 epoll_ctl(15, EPOLL_CTL_DEL, 19, 7fff77616870) = 0
> 0.000028 close(19) = 0
>
> Any ideas what's wrong? The machine is running Debian.
> --
> Edward.
More information about the dovecot
mailing list