Failed SSH login attempts on SPARC Enterprise M3000/M4000/M5000/M8000/M9000 (OPL) Servers domain(s) coming from XSCF(s)

Asset ID:	1-72-1507710.1
Update Date:	2017-09-29
Keywords:

Solution Type Problem Resolution Sure

Solution 1507710.1 : Failed SSH login attempts on SPARC Enterprise M3000/M4000/M5000/M8000/M9000 (OPL) Servers domain(s) coming from XSCF(s)

Applies to:

Sun SPARC Enterprise M4000 Server - Version All Versions and later
Sun SPARC Enterprise M5000 Server - Version All Versions and later
Sun SPARC Enterprise M8000 Server - Version All Versions and later
Sun SPARC Enterprise M9000-64 Server - Version All Versions and later
Sun SPARC Enterprise M3000 Server - Version All Versions and later
Information in this document applies to any platform.

Symptoms

It may happen on SPARC Enterprise M3000/M4000/M5000/M8000/M9000 (OPL) Servers domain(s) that messages and/or console logs do report failed ssh login attempts by root user; upon verification, the source addresses are found to be the public IPs of XSCF(s).

Example of console logs found on M8000 domain:

Sep 11 10:08:59 CEST 2012     Sep 11 09:34:15 M8000domain3 sshd[26126]: Failed none for root from 10.131.217.135 port 3933 ssh2
Sep 11 10:08:59 CEST 2012     Sep 11 09:34:15 M8000domain3 sshd[26126]: Failed password for root from 10.131.217.135 port 3933 ssh2
Sep 11 10:09:01 CEST 2012     Sep 11 09:34:18 M8000domain3 sshd[26214]: Failed none for root from 10.131.217.135 port 3934 ssh2
Sep 11 10:09:02 CEST 2012     Sep 11 09:34:18 M8000domain3 sshd[26214]: Failed password for root from 10.131.217.135 port 3934 ssh2
Sep 11 10:10:13 CEST 2012     Sep 11 09:35:29 M8000domain3 sshd[29580]: Failed none for root from 10.131.217.245 port 1302 ssh2
Sep 11 10:10:13 CEST 2012     Sep 11 09:35:29 M8000domain3 sshd[29580]: Failed password for root from 10.131.217.245 port 1302 ssh2
Sep 11 10:10:15 CEST 2012     Sep 11 09:35:32 M8000domain3 sshd[29668]: Failed none for root from 10.131.217.245 port 1303 ssh2
Sep 11 10:10:16 CEST 2012     Sep 11 09:35:32 M8000domain3 sshd[29668]: Failed password for root from 10.131.217.245 port 1303 ssh2
Sep 11 10:10:18 CEST 2012     Sep 11 09:35:35 M8000domain3 sshd[29846]: Failed none for root from 10.131.217.245 port 1304 ssh2

The source IP adrresses of the above requests are 10.131.217.135 ed 10.131.217.245, where:

XSCF of M8000 platform 1> shownetwork -a
xscf#0-lan#0
         Link encap:Ethernet  HWaddr 00:14:4F:xx:xx:xx  
         inet addr:10.131.217.245  Bcast:10.131.217.255  Mask:255.255.255.128
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
...snip...

XSCF of M8000 platform 2> shownetwork -a
xscf#1-lan#0
         Link encap:Ethernet  HWaddr 00:14:4F:xx:xx:xx  
         inet addr:10.131.217.135  Bcast:10.131.217.255  Mask:255.255.255.128
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
...snip...

so the "offending" source IP address belong to public interfaces of XSCF located on different Mx000 platforms.

Cause

Although this could be caused by different issues, System Administrators should firstly check how the Archiving feature is configured on the source XSCF(s) with the "showarchiving" command. It may happen that the Archiving is indeed configured to save logs on the target domain(s) that reports the failed ssh login attemps, while domain(s) itself is not aware of this and refuses the connections.

In the example scenario above, showarchiving output on main XSCF of M8000 platform 1 is:

*** Archiving Configuration ***
Archiving state ---------- Enabled
Archive host ------------- 10.128.24.249                <--- this is the IP address of the target domain that logs the failed root ssh login attempts.
Archive directory -------- /var/tmp
User name for ssh login -- root
Archive host fingerprint - 69:b7:59:f7:45:10:b6:58:71:f5:xx:xx:xx:xx:xx:xx

*** Connection to Archive Host ***
Latest communication ----- 2012/10/01 17:23:38
Connection status -------- Failed

                             AUDIT LOGS     OTHER LOGS
                             ----------     ----------
Archive space limit            Unlimited        5000 MB
Archive space used         Not monitored        Unknown
Total archiving failures               1             12
Unresolved failures                    1             12

2012/10/01 17:22:43
 - Failed to start secure shell session on 10.128.24.249
 - Secure shell login failed: permission denied
2012/10/01 17:23:06
 - Failed to start secure shell session on 10.128.24.249
 - Secure shell login failed: permission denied
2012/10/01 17:23:21
 - Failed to start secure shell session on 10.128.24.249
 - Secure shell login failed: permission denied

Solution

In such a scenario, Archiving should be correctly configured on XSCF(s) with the "setarchiving" command and/or proper setting should be implemented over the target domain in order to accept the requests.

For detailed information about Archiving feature of XSCF and setarchiving command please refer to the XSCF User's Guide of the specific Mx000 platform (i.e.: for M5000 this is included into the "Log Archiving Administration" section of the Guide, that is available here).

This Doc has been created as follow-up of SR 3-6178015361

Attachments

This solution has no attachment