Header Only - DO NOT REMOVE - Extreme Networks

SSH server terminates due to fatal error


Hi, the XSR-1805 Routers ssh server crash after to many attempts to login. See "show logging history" below. Is there a possibility to prevent this behavior without to disable ssh?

<186>Apr 14 15:22:03 XSR-HARTENSTEIN CLI: User: root failed to login from address 112.169.100.157<186>Apr 14 14:37:59 XSR-HARTENSTEIN VPN: Interface Vpn1, changed state to up
<186>Apr 14 14:37:40 XSR-HARTENSTEIN ETH: Interface FastEthernet2, changed state to up
<186>Apr 14 14:37:38 XSR-HARTENSTEIN ETH: Interface FastEthernet1, changed state to up
<186>Apr 14 14:37:24 XSR-HARTENSTEIN PLATF: System warm boot from crash
<186>Apr 14 14:36:35 XSR-HARTENSTEIN CLI: SSH server terminates due to fatal erro
<186>Apr 14 14:36:35 XSR-HARTENSTEIN CLI: File descriptor 12664176 exceeded the array size in ssh_io_set_fd_request.
<186>Apr 14 14:36:35 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:34 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:34 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:22 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:22 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:22 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:18 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:18 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201
<186>Apr 14 14:36:17 XSR-HARTENSTEIN CLI: User: root failed to login from address 183.3.202.201

4 replies

Userlevel 7
Hi Frank,

you could try an ACL to allow SSH only for known management servers / networks.

Even a very permissive whitelist including the dynamic ranges for your administrators' home ISPs might help in mitigating the automatic SSH scans.

You might want to take a look at the following GTAC Knowledge articles:
HTH,
Erik
Erik Auerswald wrote:

Hi Frank,

you could try an ACL to allow SSH only for known management servers / networks.

Even a very permissive whitelist including the dynamic ranges for your administrators' home ISPs might help in mitigating the automatic SSH scans.

You might want to take a look at the following GTAC Knowledge articles:

HTH,
Erik

thanks for response
Hello Frank:

To provide a definitive answer I will need answers to the following questions:
What firmware revision is on the route?
What optional hardware is installed?
(both can be ascertained from "show version" command response)
What commands were used immediately prior to the router crash?

There is a known issue in which the router may crash if it has any flavor of a NIM-T1-xx installed with certain levels of firmware and a "show controller t1 n/n" command is executed from an SSH session. If the conditions are different from this then you should call the GTAC and open a new support case ticket for best support for this issue.

That is the best I can offer at this moment.

Regards,

Raymond Jerome
could you stop trying to access my server?
Hello Jerome, thanks for response. There are 1 XSR-1850 and 6 XSR-1805 connect over IPSEC VPN Tunnels. In different times the tunnels are going down. So I found this entrys in show logging history. The Softwareversion is 7.6.15.0006 and all NIM Slots are empty.
Regards
Frank

Reply