From owner-freebsd-questions@FreeBSD.ORG Wed Apr 13 14:25:48 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D695516A4CE for ; Wed, 13 Apr 2005 14:25:48 +0000 (GMT) Received: from mail3.spm1.com (mail.spm1.com [209.210.151.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D65D43D5A for ; Wed, 13 Apr 2005 14:25:48 +0000 (GMT) (envelope-from linux0642@sbcglobal.net) Received: from localhost (localhost [127.0.0.1])id 22D71484799 for ; Wed, 13 Apr 2005 06:25:04 -0700 (PDT) Received: from mail3.spm1.com ([127.0.0.1]) by localhost (mail3 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12421-05 for ; Wed, 13 Apr 2005 06:25:03 -0700 (PDT) Received: from [192.168.4.200] (unknown [192.168.4.200]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate)id 5A28B48420A for ; Wed, 13 Apr 2005 06:25:03 -0700 (PDT) Message-ID: <425D2BEC.40403@sbcglobal.net> Date: Wed, 13 Apr 2005 07:25:48 -0700 From: John Davis User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20050413184752.0a59b661.y2kbug@ms25.hinet.net> In-Reply-To: <20050413184752.0a59b661.y2kbug@ms25.hinet.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at spm1.com Subject: Re: ssh dies X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Apr 2005 14:25:49 -0000 Robert Storey wrote: > Dear All, > > An interesting and disturbing problem recently appeared on our server > which is running FBSD 5.3. Rather suddenly, all users found themselves > locked out because ssh stopped working. We had to send an email to tech > support at our hosting service (Netsonic). They said this seems to be > happening frequently on many FreeBSD servers (something to do with > reaching the limit of ssh connections). They didn't tell us how to solve > the problem, but they suggested rebooting, which should return the > server under our control. We asked them to reboot and they did, problem > solved for now. > > I'm wondering if anyone knows what is causing this, and if there is a > permanent solution? The server was running fine for four months without > issues - this just suddenly came out of the blue. > > TIA, > Robert We had exactly the same problem with 5.3 on a dual opteron machine. One minute it worked and the next minute it stopped and had to be rebooted. The host insisted that this was clear evidence that machine had been compromised but this was nonsense. I have spoken to other people using 5.2 and 5.3 who report identical behavior. I don't know if it's a physical connection limit that's causing the problem though, because only two people log into my BSD server. I think a safer bet is this worm that tries to compromise servers by ssh. Perhaps the ssh server isn't cleaning up the failed connections well enough, or maybe it's detecting an attack and simply shutting down. This worm can generate a thousand or more connection attempts in a single session, so I can see how a tiny memory leak could grow into a big problem in a hurry. -- John Davis