BES Root server crashes after repeated bad passwords from consoles

Hey guys/girls, just a heads up on an issue that I have noticed. I am on BES Server version 9.2.9.36 as of about 6 months ago, and I may have seen this before that, but I wasn’t able to tie it to this. Once again, this may not be tied to this version, but I wanted to give you guys a heads up as to why you may get a BES Root Server service crash out of nowhere and you cannot figure out why.

I was digging through the log files and couldn’t find anything helpful, until I looked through the server audit log. I noticed tons of lines that were coming from a single user/console. It appears as if they had the console opened up on their machine and had changed their password, but never typed the new pass into the bigfix console, giving the bad auth errors in the console, but they had it minimized. The errors from the server audit log are below. (I did not put all of the successful log ins between the messages below, there were many). After almost exactly 4 hours, the BES Root server crashed, and I believe the last time I saw this happen it was about the same time, but not 100%

Fri, 04 Aug 2017 08:05:22 -0700 -- user "domain\user": Session has expired. (Data Connection)
Fri, 04 Aug 2017 08:07:22 -0700 -- user "domain\user": Session has expired. (Data Connection)
Fri, 04 Aug 2017 08:07:22 -0700 -- user "domain\user": Session has expired. (Data Connection)
Fri, 04 Aug 2017 08:07:37 -0700 -- user "domain\user": Failed log in. (Data Connection)
Fri, 04 Aug 2017 08:07:37 -0700 -- user "domain\user": Failed log in. (Data Connection)
Fri, 04 Aug 2017 08:07:52 -0700 -- domain\user: Too many log in attempts. (Data Connection)
Fri, 04 Aug 2017 08:07:52 -0700 -- domain\user: Too many log in attempts. (Data Connection)

After the last line above, every 15 seconds it replicates the too many log in attempts lines for approximately 4 hours until the root server service crashed. Once you start it again, not sure how long you have until it crashes again if the password issue is not fixed. Once I had him sync his password with the console, no issues.

Hopefully this helps someone!

I have had this happen a few more times, and verified it has been caused by the same thing, just a heads up. I am going to have to build an analysis on a machine to look for the " Too many log in attempts" in the audit log and a web report so we can try to get a proactive approach on this, instead of getting paged out and then having to find that person’s session, who may or not be on vacation. Had to have someone’s machine powered off this past weekend.

sounds similar to what was occurring ( in different way ) for the problem tracked with apar
http://www-01.ibm.com/support/docview.wss?uid=swg1IV87070

Good call, I would bet that it is.