Troubleshooting
Problem
The SSH session is closed and prevents administrators from doing tasks on the QRadar Console CLI.
Cause
Possible causes for this problem can be:
- Poor performing network.
- Unauthenticated SSH sessions crossed the threshold.
Diagnosing The Problem
Having a poorly performing network or reaching the SSH unauthenticated sessions threshold can cause the SSH sessions to be closed.
Poor performing network
Administrator must determine with their respective networking team when the network is experiencing issues such as network congestion to the Console.
Unauthenticated sessions
- Use SSH to log in to the QRadar Console as the root user.
- Check the number of unauthenticated SSH sessions.
ps aux | echo "Unauthenticated sessions: " `grep -c "^sshd.*sshd:.*\[net\]"`
Output example:Unauthenticated sessions: 0
ResultAdministrators know how many unauthenticated SSH sessions have.
Resolving The Problem
Before running the steps in this section, Administrators must determine whether they are experiencing one of the issues listed in the Diagnosing The Problem section.
Poor performing network
Administrators must resolve the network issues with their respective networking team.
Unauthenticated sessions
The administrator can temporarily work around the issue by increasing the MaxStartups parameter. This parameter is used to limit the number of concurrent unauthenticated connections to the SSH service. In this example, we're increasing the value from 10 to 100 allowed connections.
- Use SSH to log in to the QRadar Console as the root user.
- Back up the ssh config file.
cp /etc/ssh/sshd_config /store/ibm_support/sshd_config.backup-$(date +%F)
- Use the sed command to change the MaxStartups value.
sed -i 's/#MaxStartups.*/MaxStartups 100/g' /etc/ssh/sshd_config
- Validate the new changes.
grep MaxStartups /etc/ssh/sshd_config
Output example:MaxStartups 100
- Restart the SSH service.
systemctl restart sshd
Result
The maximum number of unauthenticated SSH sessions allowed is increased. If you still have issues connection issues, contact QRadar Support for assistance.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
25 October 2023
UID
ibm16952373