SSH server terminates due to fatal error

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi, the XSR-1805 Routers ssh server crash after to many attempts to login. See "show logging history" below. Is there a possibility to prevent this behavior without to disable ssh? 

<186>Apr 14 15:22:03 XSR-HARTENSTEIN CLI: User: root failed to login from address 112.169.100.157<186>Apr 14 14:37:59 XSR-HARTENSTEIN VPN: Interface Vpn1, changed state to up
<186>Apr 14 14:37:40 XSR-HARTENSTEIN ETH: Interface FastEthernet2, changed state to up
<186>Apr 14 14:37:38 XSR-HARTENSTEIN ETH: Interface FastEthernet1, changed state to up
<186>Apr 14 14:37:24 XSR-HARTENSTEIN PLATF: System warm boot from crash
<186>Apr 14 14:36:35 XSR-HARTENSTEIN CLI: SSH server terminates due to fatal erro
<186>Apr 14 14:36:35 XSR-HARTENSTEIN CLI: File descriptor 12664176 exceeded the array size in ssh_io_set_fd_request.
<186>Apr 14 14:36:35 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:34 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:34 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:22 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:22 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:22 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:18 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:18 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:17 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
Photo of Frank Richter

Frank Richter

  • 340 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi Frank,

you could try an ACL to allow SSH only for known management servers / networks.

Even a very permissive whitelist including the dynamic ranges for your administrators' home ISPs might help in mitigating the automatic SSH scans.

You might want to take a look at the following GTAC Knowledge articles:

HTH,
Erik
(Edited)
Photo of Frank Richter

Frank Richter

  • 340 Points 250 badge 2x thumb
thanks for response
Photo of Jerome, Raymond

Jerome, Raymond, Employee

  • 140 Points 100 badge 2x thumb
Hello Frank:

To provide a definitive answer I will need answers to the following questions:
What firmware revision is on the route?
What optional hardware is installed?
(both can be ascertained from "show version" command response)
What commands were used immediately prior to the router crash?

There is a known issue in which the router may crash if it has any flavor of a NIM-T1-xx installed with certain levels of firmware and a "show controller t1 n/n" command is executed from an SSH session.  If the conditions are different from this then you should call the GTAC and open a new support case ticket for best support for this issue.

That is the best I can offer at this moment.  

Regards,

Raymond Jerome
Photo of Frank Richter

Frank Richter

  • 340 Points 250 badge 2x thumb
Hello Jerome, thanks for response. There are 1 XSR-1850 and 6 XSR-1805 connect over IPSEC VPN Tunnels. In different times the tunnels are going down. So I found this entrys in show logging history. The Softwareversion is 7.6.15.0006 and all NIM Slots are empty.
Regards
Frank