Zenoss + pfsense + issues
-
Hola, tengo un servidor de monitoreo (Debian etch 4.0.4 X64) de mi empresa, y el pfsense me esta
dando estos errores, hice unos cambios en los siguientes parametros del pfsense para cambiar el troughput de la red, desactive el forwader dns, ya que tenemos un dns interno con doble vista y tenia problemas de resolucion en varias oportunidades, luego de eso no teniamos mas el problema. actualizo los cambios realizadosEnable Device polling
Disable Allow Dns server….
enable do not use the dns forwarted as .../boot/loader.conf
hw.pci.enable_msi=0
hw.pci.enable_msix=0
sysctl (por el system tunneables)
kern.maxfiles: 12328
kern.maxfilesperproc: 11095
kern.maxvnodes: 69210
net.inet.tcp.mssdflt=1460
net.inet.tcp.recvspace=131400
net.inet.tcp.sendspace=131400
net.inet.tcp.slowstart_flightsize=90
net.inet.tcp.hostcache.expire=3900
enable ipv6 0Esta es la configuracion y version de mi servidor de monitoreo,
Software Component Versions
Zenoss Zenoss 3.2.1
OS Linux (x86_64) 2.6.32 (Linux 2.6.32-5-amd64 #1 SMP Mon Jan 16 16:22:28 UTC 2012 x86_64)
Zope Zope 2.12.1
Python Python 2.6.2
Database MySQL 5.0.45 (Ver 5.0.45)
RRD RRDtool 1.3.9
Twisted Twisted 8.1.0
NetSnmp NetSnmp 5.4.1
PyNetSnmp PyNetSnmp 0.29.13
WMI Wmi 1.3.13Version de pfsense
Version 2.0.1-RELEASE (i386)
built on Mon Dec 12 17:53:52 EST 2011
FreeBSD 8.1-RELEASE-p6
Platform pfSense
CPU Type Intel(R) Xeon(TM) CPU 3.06GHzen la parte de general, tengo activada la opcion del ssh, puedo entrar por ssh, desde el equipo, con el usuario que tengo asignado
desactiver las configuraciones para el monitoreo por ssh y sigo recibiendo la misma alarma cada minuto y me esta colapsando el servidor, tengo el 60% de uso en cpu, antes, de desactivar la configuracion del equipo, se recibia la alarma muchas mas veces, y antes tenia interrupciones de red por la carga del cpu, antes cuando estaba todo bien sin problemas,Aug 3 10:01:23 sshd[6541]: Did not receive identification string from 192.168.3.x
Aug 3 10:00:23 sshd[45926]: Did not receive identification string from 192.168.3.x
Aug 3 09:59:23 sshd[19368]: Did not receive identification string from 192.168.3.x
Aug 3 09:58:23 sshd[55038]: Did not receive identification string from 192.168.3.x
Aug 3 09:57:23 sshd[31491]: Did not receive identification string from 192.168.3.x
Aug 3 09:56:23 sshd[6801]: Did not receive identification string from 192.168.3.x
Aug 3 09:55:23 sshd[46143]: Did not receive identification string from 192.168.3.x
Aug 3 09:54:23 sshd[17514]: Did not receive identification string from 192.168.3.x
Aug 3 09:53:23 sshd[55880]: Did not receive identification string from 192.168.3.x
Aug 3 09:52:23 sshd[33542]: Did not receive identification string from 192.168.3.x
Aug 3 09:51:23 sshd[5801]: Did not receive identification string from 192.168.3.x
Aug 3 09:50:23 sshd[43080]: Did not receive identification string from 192.168.3.x
Aug 3 09:49:23 sshd[17504]: Did not receive identification string from 192.168.3.x
Aug 3 09:48:23 sshd[57181]: Did not receive identification string from 192.168.3.x
Aug 3 09:47:23 sshd[32540]: Did not receive identification string from 192.168.3.x
Aug 3 09:46:23 sshd[3684]: Did not receive identification string from 192.168.3.x
Aug 3 09:45:23 sshd[58632]: Did not receive identification string from 192.168.3.x
Aug 3 09:44:23 sshd[42428]: Did not receive identification string from 192.168.3.x
Aug 3 09:43:23 sshd[18662]: Did not receive identification string from 192.168.3.x
Aug 3 09:42:23 sshd[57141]: Did not receive identification string from 192.168.3.x
Aug 3 09:41:23 sshd[32018]: Did not receive identification string from 192.168.3.x
Aug 3 09:40:23 sshd[7557]: Did not receive identification string from 192.168.3.x
Aug 3 09:39:23 sshd[43269]: Did not receive identification string from 192.168.3.x
Aug 3 09:38:23 sshd[15569]: Did not receive identification string from 192.168.3.x
Aug 3 09:37:23 sshd[54375]: Did not receive identification string from 192.168.3.x
Aug 3 09:36:23 sshd[29018]: Did not receive identification string from 192.168.3.x
Aug 3 09:35:23 sshd[41x8]: Did not receive identification string from 192.168.3.x
Aug 3 09:34:23 sshd[42645]: Did not receive identification string from 192.168.3.x
Aug 3 09:33:23 sshd[17518]: Did not receive identification string from 192.168.3.x
Aug 3 09:32:23 sshd[57727]: Did not receive identification string from 192.168.3.xDevice: NOMBRE DEL PFSENSE
Component: sshd
Event Class: /Unknown
Status: 1
Start Time: 2012/06/18 08:49:14.000
Stop Time: 2012/07/16 15:59:22.000
Count: 12
Message: error: PAM: authentication error for illegal user USERLOGIN from 172.16.x.x
Systems:
Groups:
Location:
Device Class: /Network
Production State: Production
Device Priority: Normal
Hide details
agent zensyslog
clearid
component sshd
count 12
dedupid IP-PFSENSE|sshd|||4|error: PAM: authentication error for illegal user USERLOGIN from 172.16.x.X
device IP-PFSENSE
DeviceClass /Network
DeviceGroups |
DevicePriority 3
eventClass /Unknown
eventClassKey sshd
eventClassMapping
eventGroup syslog
eventKey
eventState 1
evid 5301486c-ea2c-4f0f-a5cb-d3d1ebff7dea
facility auth
firstTime 2012/06/18 08:49:14.000
ipAddress 192.168.3.1
lastTime 2012/07/16 15:59:22.000
Location
manager HOSTNAME
message error: PAM: authentication error for illegal user USERLOGIN from 172.16.x.x
monitor localhost
ntevid 0
ownerid XXXXXXX
priority 3
prodState 1000
severity 4
stateChange 2012/07/16 15:59:22.000
summary error: PAM: authentication error for illegal user USERLOGIN from 172.16.X.X
suppid º
Systems | -
No me aclaro…
¿Quiénes son 192.168.3.x y 172.16.x.x para ti?
Parece que estén intentando atacar el servidor ssh (ssh daemon), sshd, que se queja.
Tampoco me queda claro si se queja el sshd de pfSense o el de tu Debian.
Saludos,
Josep Pujadas-Jubany
-
@bellera disculpa, estas son mis redes
ISP_Wan 200.x.x.232/29
Dmz= 192.168.3.x/25
Lan = 172.16.x.x/x -
Google sshd Did not receive identification string from
Al parecer este error significa que el cliente no recibe la bienvenida del servidor ssh. Por lo que he visto esto sucede cuando falla la conexión por algún motivo.
Suele ser usual que se esté monitorizando el puerto 22 de alguna forma que no es una conexión ssh, con lo que se provoca el error.
http://h30499.www3.hp.com/t5/System-Administration/sshd-14074-Did-not-receive-identification-string-from/td-p/4701919#.UJQxOxJ3AVU
-
Hola @bellera efectivamente, leyendo el enlace que colocaste, tenia la solucion, desactive el monitoreo del puerto ssh y listo, ya no tengo mas esa advertencia! saludos!