Hello Don,
Am 17.01.2020 um 00:42 schrieb Don Brown via MIDRANGE-L <midrange-l@xxxxxxxxxxxxxxxxxx>:
sshd[1540655]: Invalid user dick from 190.111.249.133 port 56678
Welcome to the wonderful world of internet-facing systems! On our Linux-Boxes, I'm facing this kind of "trying to hack an account" many times a day.
I assume that the box must be reachable from outside for some reason?
First measure would be to check and eventually correct QSYS/EN_US object's AUT, so the job log should not be created in the first place. Maybe you'd have to test this one, because on my V7R2 they're flagged *PUBLIC *USE, so I don't understand what could be wrong here. Probably you need to add custom flags (everything but *CHANGE).
Secondary Cause is the handling of the job logs, because any decent machine should be fast enough to handle many connection tries per minute. If you don't need these logs, I'd try to switch them off completely for sshd. After that, many sshd startups should no longer affect the machine in such a drastic way. I can't tell how to achieve that, though.
Find good values for the MaxStartups parameter in sshd_config. By default, it's not included. Syntax is start:rate:full, Default 10:30:100. See
https://linux.die.net/man/5/sshd_config for details. This *will* create DDOS like scenarios, because there's no computable difference between legit and unwanted connections before auth.
Another possibility would be to introduce firewall rules to restrict connections to known IP ranges, or have a second linux install at hand to use xinetd as generic TCP proxy to handle internet originating connections and pass them to the i. Xinetd can restrict maximum connections in a given time frame per source IP address.
sshd[1540655]: rexec line 96: Deprecated option UsePrivilegeSeparation
Simply delete this line from sshd_config to get rid of the accompanying message.
PASE for i ended for signal 11, error code 1.
Ungraceful ABEND. I'm surprised to see something like that on IBM i.
:wq! PoC
PGP-Key: DDD3 4ABF 6413 38DE -
https://www.pocnet.net/poc-key.asc
As an Amazon Associate we earn from qualifying purchases.