Just an update to this issue.

IBM developer has replied in relation to the cause and possible test ptf.

Q: I presume this test PTF will ONLY affect *SSHD ?

A: Wrong. The fix will correct SLIC handling for any ILE signal (in any
process/job).



Q: Can the developer provide any details of what is causing this issue?

A: "The issue is a defect in Pxsg (SLIC SignalsManagement) code because it
uses an internal interface that checks/requires authority to the parent
process. Authorization checks are done (by the parent process) when the
signal is sent, so there is no reason to check authority to the sender
process when the signal is delivered (in the child process)."


Cheers

Don Brown







From: "Patrik Schindler" <poc@xxxxxxxxxx>
To: "Midrange Systems Technical Discussion"
<midrange-l@xxxxxxxxxxxxxxxxxx>
Date: 17/01/2020 07:51 PM
Subject: Re: *SSHD Job generating joblogs every second
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxxxxxxxx>



Hello Don,

Am 17.01.2020 um 00:42 schrieb Don Brown via MIDRANGE-L
<midrange-l@xxxxxxxxxxxxxxxxxx>:

sshd[1540655]: Invalid user dick from 190.111.249.133 port 56678

Welcome to the wonderful world of internet-facing systems! On our
Linux-Boxes, I'm facing this kind of "trying to hack an account" many
times a day.

I assume that the box must be reachable from outside for some reason?

First measure would be to check and eventually correct QSYS/EN_US object's
AUT, so the job log should not be created in the first place. Maybe you'd
have to test this one, because on my V7R2 they're flagged *PUBLIC *USE, so
I don't understand what could be wrong here. Probably you need to add
custom flags (everything but *CHANGE).

Secondary Cause is the handling of the job logs, because any decent
machine should be fast enough to handle many connection tries per minute.
If you don't need these logs, I'd try to switch them off completely for
sshd. After that, many sshd startups should no longer affect the machine
in such a drastic way. I can't tell how to achieve that, though.

Find good values for the MaxStartups parameter in sshd_config. By default,
it's not included. Syntax is start:rate:full, Default 10:30:100. See
https://linux.die.net/man/5/sshd_config for details. This *will* create
DDOS like scenarios, because there's no computable difference between
legit and unwanted connections before auth.

Another possibility would be to introduce firewall rules to restrict
connections to known IP ranges, or have a second linux install at hand to
use xinetd as generic TCP proxy to handle internet originating connections
and pass them to the i. Xinetd can restrict maximum connections in a given
time frame per source IP address.

sshd[1540655]: rexec line 96: Deprecated option UsePrivilegeSeparation

Simply delete this line from sshd_config to get rid of the accompanying
message.

PASE for i ended for signal 11, error code 1.

Ungraceful ABEND. I'm surprised to see something like that on IBM i.

:wq! PoC

PGP-Key: DDD3 4ABF 6413 38DE - https://www.pocnet.net/poc-key.asc


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.