SSH into Security Onion server disconnects within a minute and won't reconnect
rolf...@gmail.com
"The SSH2 session has terminated with error. Reason: FlowSocketReader: Error receiving bytes. Windows error 10060: A connection attempt failed because the connected party did not respond after a period of time, or established connection failed because connected host has failed to respond."
Auto-reconnect fails and I can't even ping between the hosts in either direction for about 5-10 minutes but pings to all other hosts are successful from each side. After that period of time, I can ping successfully and also reconnect but it will still disconnect. I've looked through Firewall logs to see anything about either host and possible banning of the connection but nothing. I can't figure out what's wrong. I've tried another computer (Linux) by using SSH in the terminal and it just sits there for a while and says it was closed by remote host. So I'm guessing it's something wrong with Security Onion. I have seen some OSSEC alerts from the Windows IP about failed login, successful login and then some Snort alerts about SSH scanning from that IP. Is Security Onion blocking these connections or is something else wrong? I added the user to the SSH config file as Allowed but it didn't help.
Wes
Have you tried using a different SSH client, such as putty or MobaXterm?
Thanks,
Wes
rolf...@gmail.com
>
> Thanks,
> Wes
I have tried Putty as well as the terminal SSH on a linux machine with the same results. I looked at the /var/log/auth.log file and it shows the following. I'm not sure what some of it means or if it's even relevant:
Oct 27 21:13:21 IDS sshd[23244]: Accepted password for user from 192.168.1.101 port 3960 ssh2
Oct 27 21:13:21 IDS sshd[23244]: pam_unix(sshd:session): session opened for user user by (uid=0)
Oct 27 21:14:01 IDS CRON[23347]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 27 21:14:01 IDS CRON[23348]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 27 21:14:01 IDS CRON[23350]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 27 21:14:01 IDS CRON[23349]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 27 21:14:01 IDS CRON[23349]: pam_unix(cron:session): session closed for user root
Oct 27 21:14:01 IDS CRON[23348]: pam_unix(cron:session): session closed for user root
Oct 27 21:14:01 IDS CRON[23347]: pam_unix(cron:session): session closed for user root
Oct 27 21:14:09 IDS CRON[23350]: pam_unix(cron:session): session closed for user root
Oct 27 21:14:50 IDS lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object fi$
Oct 27 21:14:50 IDS lightdm: PAM adding faulty module: pam_kwallet.so
Oct 27 21:14:50 IDS lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "user"
Oct 27 21:14:53 IDS lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
Doug Burks
try adding your IP address to OSSEC's whitelist in
/var/ossec/etc/ossec.conf:
https://github.com/Security-Onion-Solutions/security-onion/wiki/OSSEC#active-response
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Joey
> Sounds like this might be related to OSSEC Active Response. You could
> try adding your IP address to OSSEC's whitelist in
> /var/ossec/etc/ossec.conf:
> https://github.com/Security-Onion-Solutions/security-onion/wiki/OSSEC#active-response
Thank you thank you thank you! That worked. I never had to do that before with older versions but then again, I don't think I've ever installed OSSEC either.