I have an updated Mageia5 gateway behind a fiber router with ssh-port forwarding. The system has started to crash (had to push on/off) within the last 2 months. I have updated to openssh-server-6.6p1-5.9.mga5. The system logs says that it happened just af a connection attempt from an IP-address in China. How can sshd crash the system? Could the box be infected? I have closed the ssh-forwarding. How should I proceede from here?
Can you attach those logs?
Keywords: (none) => NEEDINFOCC: (none) => marja11
How do I make a listing across the last boot: journalctl -b -0 ???
(In reply to Bjarne Thomsen from comment #2) > How do I make a listing across the last boot: > journalctl -b -0 ??? if last = current: journalctl -ab > output .txt if last is the previous boot: journalctl -ab -1 > output.txt the boot before that: journalctl -ab -2 > output.txt to be sure, you can check the times at the beginning of each line in output.txt
Created attachment 8600 [details] journalctl-ab-1.txt + journalctl-ab.txt The crash happened at the end of journalctl-ab-1.txt The system was hanging for 4 hours. journalctl-ab.txt is after the current boot.
CC: (none) => bjarne.thomsen
Created attachment 8601 [details] journalctl-ab-1.txt journalctl-ab-1.txt has the crash in the end. too long. Then I tailed the last 1000 lines. uid=5025 is me.
Which Chinese IP-address is the one you distrust? At first I thought it was 221.229.172.76, but that one already turns up 40 minutes before the end. This is funny: Oct 24 06:32:17 aopen.local sshd[1006]: Invalid user admin from 185.110.132.202 Oct 24 06:32:17 aopen.local sshd[1006]: input_userauth_request: invalid user admin [preauth] But here "whois" doesn't show anything Chinese for that ip address Assigning to the openssh maintainer, who, if he can't already tell why your system hangs, will be able to instruct you how to get logs that contain more information.
Assignee: bugsquad => guillomovitchSource RPM: (none) => openssh
Yes, 185.110.132.202 looks more interesting. ip2location.com tells me: Ukraine, Kharkivs'ka Oblast', Kharkiv ISP OpenStack Ltd But it could be something else. My question is really: Is there a known vulnerability in sshd that could hang the system?
Something strange happened while testing my server with Nessus for "Basic Networking" after having removed the weak CBC ciphers from sshd_config: Nessus crashed, and the system was hanging as above. I had to press on/off to boot. After the boot sshd was not running. After editing the sshd_config I restarted sshd and checked that it was running. journalctl -ab -1 tels me that sshd was not running correctly just before the crash. I inserted a line in sshd_config starting with Ciphers followed by the ciphers not containing *cbc*. Should there be "" around each cipher? I used "man sshd_config" to obtain the default ciphers. A misconfigured sshd should not be able to lock the system.
Sorry if I'm being rude, but I don't see any evidence of an openssh bug here. You'd rather have this kind of discussion on a media better suited for technical support, such as a user forum or a discussion list. I'm closing this report as invalid, feel free to reopen it if you're able to provide a reproductible test case.
Status: NEW => RESOLVEDResolution: (none) => INVALID