Zenoss + pfsense + issues



  • Hola, tengo un servidor de monitoreo (Debian etch 4.0.4 X64) de mi empresa, y el pfsense me esta
    dando estos errores, hice unos cambios en los siguientes parametros del pfsense para cambiar el troughput de la red, desactive el forwader dns, ya que tenemos un dns interno con doble vista y tenia problemas de resolucion en varias oportunidades, luego de eso no teniamos mas el problema. actualizo los cambios realizados

    Enable Device polling
        Disable Allow Dns server….
        enable do not use the dns forwarted as ...

    /boot/loader.conf

    hw.pci.enable_msi=0
    hw.pci.enable_msix=0
    sysctl (por el system tunneables)
    kern.maxfiles: 12328
    kern.maxfilesperproc: 11095
    kern.maxvnodes: 69210
    net.inet.tcp.mssdflt=1460
    net.inet.tcp.recvspace=131400
    net.inet.tcp.sendspace=131400
    net.inet.tcp.slowstart_flightsize=90
    net.inet.tcp.hostcache.expire=3900
    enable ipv6 0

    Esta es la configuracion y version de mi servidor de monitoreo,

    Software Component Versions  
    Zenoss Zenoss 3.2.1
    OS Linux (x86_64) 2.6.32 (Linux  2.6.32-5-amd64 #1 SMP Mon Jan 16 16:22:28 UTC 2012 x86_64)
    Zope Zope 2.12.1
    Python Python 2.6.2
    Database MySQL 5.0.45 (Ver 5.0.45)
    RRD RRDtool 1.3.9
    Twisted Twisted 8.1.0
    NetSnmp NetSnmp 5.4.1
    PyNetSnmp PyNetSnmp 0.29.13
    WMI Wmi 1.3.13

    Version de pfsense

    Version 2.0.1-RELEASE (i386)
    built on Mon Dec 12 17:53:52 EST 2011
    FreeBSD 8.1-RELEASE-p6
    Platform pfSense
    CPU Type Intel(R) Xeon(TM) CPU 3.06GHz

    en la parte de general, tengo activada la opcion del ssh, puedo entrar por ssh, desde el equipo, con el usuario que tengo asignado
    desactiver las configuraciones para el monitoreo por ssh y sigo recibiendo la misma alarma cada minuto y me esta colapsando el servidor, tengo el 60% de uso en cpu, antes, de desactivar la configuracion del equipo, se recibia la alarma muchas mas veces, y antes tenia interrupciones de red por la carga del cpu, antes cuando estaba todo bien sin problemas,

    Aug 3 10:01:23 sshd[6541]: Did not receive identification string from 192.168.3.x

    Aug 3 10:00:23 sshd[45926]: Did not receive identification string from 192.168.3.x
    Aug 3 09:59:23 sshd[19368]: Did not receive identification string from 192.168.3.x
    Aug 3 09:58:23 sshd[55038]: Did not receive identification string from 192.168.3.x
    Aug 3 09:57:23 sshd[31491]: Did not receive identification string from 192.168.3.x
    Aug 3 09:56:23 sshd[6801]: Did not receive identification string from 192.168.3.x
    Aug 3 09:55:23 sshd[46143]: Did not receive identification string from 192.168.3.x
    Aug 3 09:54:23 sshd[17514]: Did not receive identification string from 192.168.3.x
    Aug 3 09:53:23 sshd[55880]: Did not receive identification string from 192.168.3.x
    Aug 3 09:52:23 sshd[33542]: Did not receive identification string from 192.168.3.x
    Aug 3 09:51:23 sshd[5801]: Did not receive identification string from 192.168.3.x
    Aug 3 09:50:23 sshd[43080]: Did not receive identification string from 192.168.3.x
    Aug 3 09:49:23 sshd[17504]: Did not receive identification string from 192.168.3.x
    Aug 3 09:48:23 sshd[57181]: Did not receive identification string from 192.168.3.x
    Aug 3 09:47:23 sshd[32540]: Did not receive identification string from 192.168.3.x
    Aug 3 09:46:23 sshd[3684]: Did not receive identification string from 192.168.3.x
    Aug 3 09:45:23 sshd[58632]: Did not receive identification string from 192.168.3.x
    Aug 3 09:44:23 sshd[42428]: Did not receive identification string from 192.168.3.x
    Aug 3 09:43:23 sshd[18662]: Did not receive identification string from 192.168.3.x
    Aug 3 09:42:23 sshd[57141]: Did not receive identification string from 192.168.3.x
    Aug 3 09:41:23 sshd[32018]: Did not receive identification string from 192.168.3.x
    Aug 3 09:40:23 sshd[7557]: Did not receive identification string from 192.168.3.x
    Aug 3 09:39:23 sshd[43269]: Did not receive identification string from 192.168.3.x
    Aug 3 09:38:23 sshd[15569]: Did not receive identification string from 192.168.3.x
    Aug 3 09:37:23 sshd[54375]: Did not receive identification string from 192.168.3.x
    Aug 3 09:36:23 sshd[29018]: Did not receive identification string from 192.168.3.x
    Aug 3 09:35:23 sshd[41x8]: Did not receive identification string from 192.168.3.x
    Aug 3 09:34:23 sshd[42645]: Did not receive identification string from 192.168.3.x
    Aug 3 09:33:23 sshd[17518]: Did not receive identification string from 192.168.3.x
    Aug 3 09:32:23 sshd[57727]: Did not receive identification string from 192.168.3.x

    Device: NOMBRE DEL PFSENSE
    Component: sshd
    Event Class: /Unknown
    Status: 1
    Start Time: 2012/06/18 08:49:14.000
    Stop Time: 2012/07/16 15:59:22.000
    Count: 12
    Message: error: PAM: authentication error for illegal user USERLOGIN from 172.16.x.x
    Systems:
    Groups:
    Location:
    Device Class: /Network
    Production State: Production
    Device Priority: Normal
    Hide details
    agent zensyslog
    clearid
    component sshd
    count 12
    dedupid IP-PFSENSE|sshd|||4|error: PAM: authentication error for illegal user USERLOGIN from 172.16.x.X
    device IP-PFSENSE
    DeviceClass /Network
    DeviceGroups |
    DevicePriority 3
    eventClass /Unknown
    eventClassKey sshd
    eventClassMapping
    eventGroup syslog
    eventKey
    eventState 1
    evid 5301486c-ea2c-4f0f-a5cb-d3d1ebff7dea
    facility auth
    firstTime 2012/06/18 08:49:14.000
    ipAddress 192.168.3.1
    lastTime 2012/07/16 15:59:22.000
    Location
    manager HOSTNAME
    message error: PAM: authentication error for illegal user USERLOGIN from 172.16.x.x
    monitor localhost
    ntevid 0
    ownerid XXXXXXX
    priority 3
    prodState 1000
    severity 4
    stateChange 2012/07/16 15:59:22.000
    summary error: PAM: authentication error for illegal user USERLOGIN from 172.16.X.X
    suppid º
    Systems |



  • No me aclaro…

    ¿Quiénes son 192.168.3.x y 172.16.x.x para ti?

    Parece que estén intentando atacar el servidor ssh (ssh daemon), sshd, que se queja.

    Tampoco me queda claro si se queja el sshd de pfSense o el de tu Debian.

    Saludos,

    Josep Pujadas-Jubany



  • @bellera disculpa, estas son mis redes

    ISP_Wan 200.x.x.232/29
    Dmz= 192.168.3.x/25
    Lan = 172.16.x.x/x



  • Google sshd Did not receive identification string from

    Al parecer este error significa que el cliente no recibe la bienvenida del servidor ssh. Por lo que he visto esto sucede cuando falla la conexión por algún motivo.

    Suele ser usual que se esté monitorizando el puerto 22 de alguna forma que no es una conexión ssh, con lo que se provoca el error.

    http://h30499.www3.hp.com/t5/System-Administration/sshd-14074-Did-not-receive-identification-string-from/td-p/4701919#.UJQxOxJ3AVU



  • Hola @bellera efectivamente, leyendo el enlace que colocaste, tenia la solucion, desactive el monitoreo del puerto ssh y listo, ya no tengo mas esa advertencia! saludos!


Locked