Hello Don,

Am 17.01.2020 um 00:42 schrieb Don Brown via MIDRANGE-L <midrange-l@xxxxxxxxxxxxxxxxxx>:

sshd[1540655]: Invalid user dick from 190.111.249.133 port 56678

Welcome to the wonderful world of internet-facing systems! On our Linux-Boxes, I'm facing this kind of "trying to hack an account" many times a day.

I assume that the box must be reachable from outside for some reason?

First measure would be to check and eventually correct QSYS/EN_US object's AUT, so the job log should not be created in the first place. Maybe you'd have to test this one, because on my V7R2 they're flagged *PUBLIC *USE, so I don't understand what could be wrong here. Probably you need to add custom flags (everything but *CHANGE).

Secondary Cause is the handling of the job logs, because any decent machine should be fast enough to handle many connection tries per minute. If you don't need these logs, I'd try to switch them off completely for sshd. After that, many sshd startups should no longer affect the machine in such a drastic way. I can't tell how to achieve that, though.

Find good values for the MaxStartups parameter in sshd_config. By default, it's not included. Syntax is start:rate:full, Default 10:30:100. See https://linux.die.net/man/5/sshd_config for details. This *will* create DDOS like scenarios, because there's no computable difference between legit and unwanted connections before auth.

Another possibility would be to introduce firewall rules to restrict connections to known IP ranges, or have a second linux install at hand to use xinetd as generic TCP proxy to handle internet originating connections and pass them to the i. Xinetd can restrict maximum connections in a given time frame per source IP address.

sshd[1540655]: rexec line 96: Deprecated option UsePrivilegeSeparation

Simply delete this line from sshd_config to get rid of the accompanying message.

PASE for i ended for signal 11, error code 1.

Ungraceful ABEND. I'm surprised to see something like that on IBM i.

:wq! PoC

PGP-Key: DDD3 4ABF 6413 38DE - https://www.pocnet.net/poc-key.asc


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.