IBM Support

IBM AIX: ssh server drops new connections randomly

Troubleshooting


Problem

The ssh server on AIX® may drop new connections randomly before authentication or printing any output.

Symptom

New connections are dropped immediately after the connection is established but before any authentication takes place.  Connections are dropped more frequently when the number of simultaneous connection requests goes up.

Cause

OpenSSH has a mechanism to try to mitigate network attacks by limiting the number of outstanding connections with incomplete authentication.  This configuration option, MaxStartups, causes the ssh server to randomly drop new connection requests up to a maximum limit, at which point 100% of connection requests will be dropped.

Diagnosing The Problem

A network trace will show that the ssh server sends a TCP FIN+ACK packet immediately after the SYN/SYN+ACK/ACK sequence.  Debug logs from sshd will have messages like these.
Aug 13 10:01:12 XXXXXXXX auth|security:debug sshd[4194308]: debug1: drop_connection: p 35, r 42
Aug 13 10:01:13 XXXXXXXX auth|security:debug sshd[4194308]: debug1: drop_connection: p 36, r 29
Aug 13 10:01:13 XXXXXXXX auth|security:debug sshd[4194308]: debug1: drop connection #18
Aug 13 10:01:13 XXXXXXXX auth|security:debug sshd[4194308]: debug1: drop_connection: p 36, r 87
Aug 13 10:01:14 XXXXXXXX auth|security:debug sshd[4194308]: debug1: drop_connection: p 37, r 64
Aug 13 10:01:14 XXXXXXXX auth|security:debug sshd[4194308]: debug1: drop_connection: p 37, r 34
Aug 13 10:01:14 XXXXXXXX auth|security:debug sshd[4194308]: debug1: drop connection #20
Aug 13 10:01:14 XXXXXXXX auth|security:debug sshd[4194308]: debug1: drop_connection: p 37, r 10

Resolving The Problem

The default value for MaxStartups is 10:30:100, which means that once there are 10 new connections where authentication is not yet complete, new connection requests are dropped at a rate of 30%, with the rate increasing linearly until there are 100 new connections with incomplete authentication at which point all new connection requests are dropped.
If the incoming rate of new connections is expected then increase the starting value (the first of the three numbers) to something larger than the maximum value of "p" in the debug log output.  The starting value must be smaller than the maximum value (the third of the three numbers).

Related Information

Configuring sshd in debug mode

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
13 August 2019

UID

ibm10967413

Page Feedback