Just an update to this issue.
IBM developer has replied in relation to the cause and possible test ptf.
Q: I presume this test PTF will ONLY affect *SSHD ?
A: Wrong. The fix will correct SLIC handling for any ILE signal (in any
Q: Can the developer provide any details of what is causing this issue?
A: "The issue is a defect in Pxsg (SLIC SignalsManagement) code because it
uses an internal interface that checks/requires authority to the parent
process. Authorization checks are done (by the parent process) when the
signal is sent, so there is no reason to check authority to the sender
process when the signal is delivered (in the child process)."
From: "Patrik Schindler" <poc@xxxxxxxxxx>
To: "Midrange Systems Technical Discussion"
Date: 17/01/2020 07:51 PM
Subject: Re: *SSHD Job generating joblogs every second
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx>
Am 17.01.2020 um 00:42 schrieb Don Brown via MIDRANGE-L
sshd: Invalid user dick from 184.108.40.206 port 56678
Welcome to the wonderful world of internet-facing systems! On our
Linux-Boxes, I'm facing this kind of "trying to hack an account" many
times a day.
I assume that the box must be reachable from outside for some reason?
First measure would be to check and eventually correct QSYS/EN_US object's
AUT, so the job log should not be created in the first place. Maybe you'd
have to test this one, because on my V7R2 they're flagged *PUBLIC *USE, so
I don't understand what could be wrong here. Probably you need to add
custom flags (everything but *CHANGE).
Secondary Cause is the handling of the job logs, because any decent
machine should be fast enough to handle many connection tries per minute.
If you don't need these logs, I'd try to switch them off completely for
sshd. After that, many sshd startups should no longer affect the machine
in such a drastic way. I can't tell how to achieve that, though.
Find good values for the MaxStartups parameter in sshd_config. By default,
it's not included. Syntax is start:rate:full, Default 10:30:100. See
for details. This *will* create
DDOS like scenarios, because there's no computable difference between
legit and unwanted connections before auth.
Another possibility would be to introduce firewall rules to restrict
connections to known IP ranges, or have a second linux install at hand to
use xinetd as generic TCP proxy to handle internet originating connections
and pass them to the i. Xinetd can restrict maximum connections in a given
time frame per source IP address.
sshd: rexec line 96: Deprecated option UsePrivilegeSeparation
Simply delete this line from sshd_config to get rid of the accompanying
PASE for i ended for signal 11, error code 1.
Ungraceful ABEND. I'm surprised to see something like that on IBM i.
PGP-Key: DDD3 4ABF 6413 38DE - https://www.pocnet.net/poc-key.asc
As an Amazon Associate we earn from qualifying purchases.