[checktravis]

i was using sftp from outside of my network, like i do all the time, only difference was i was setting up a second device to have access. ssh just stopped working. i could still remote in and see the samba shares and locally webmin was working but ssh was just out.

so, i rebooted my goflex and ssh was all better. i checked the log:
$this->bbcode_second_pass_code('', 'journalctl --since=today | tac | sed -n '/-- Reboot --/{n;:r;/-- Reboot --/q;p;n;b r}' | tac')

and noticed this:

$this->bbcode_second_pass_code('', 'Jun 09 01:11:56 gfh sshd[3305]: Accepted password for root from xxx.xxx.xxx.xxx port
xxxxx ssh2
Jun 09 01:11:56 gfh sshd[3304]: Accepted password for root from xxx.xxx.xxx.xxx port
xxxxx ssh2
Jun 09 01:11:56 gfh sshd[3303]: Accepted password for root from xxx.xxx.xxx.xxx port
xxxxx ssh2
Jun 09 01:11:56 gfh sshd[3305]: pam_tally(sshd:setcred): Tally underflowed for u
ser root
Jun 09 01:11:56 gfh sshd[3303]: pam_tally(sshd:setcred): Tally underflowed for u
ser root
Jun 09 01:11:56 gfh sshd[3305]: pam_unix(sshd:session): session opened for user
root by (uid=0)
Jun 09 01:11:56 gfh sshd[3304]: pam_unix(sshd:session): session opened for user
root by (uid=0)
Jun 09 01:11:56 gfh sshd[3303]: pam_unix(sshd:session): session opened for user
root by (uid=0)

...

Jun 09 01:11:56 gfh systemd-logind[248]: New session c64 of user root.
Jun 09 01:11:56 gfh systemd-logind[248]: New session c65 of user root.
Jun 09 01:11:56 gfh systemd-logind[248]: New session c66 of user root.
')

and after that, i saw this several times throughout the rest of the log:

$this->bbcode_second_pass_code('', 'Jun 09 01:12:05 gfh systemd[1]: sshd.socket: Too many incoming connections (64)')

i've googled, and searched the forum here, i'm a bit stumped. in fact, i have had so much success just researching my arch linux issues in the past i have never had to ask as question before. i created an account here to ask about this issue lol

i am guessing it was probably just me trying to log in too many times over a slow remote connection, but figured i would check and see if there is anything i need to address.

as an aside: this community has been extremely helpful in making my dream NAS come together. thank you!

[moonman]

Is the box accessible outside of your local network? If yes, and it is on the standard port (22) you will get a lot of people on knocking and trying to login, be it real people or bots.

[checktravis]

the local port is 22, but i have another port for outside the local network, my router forwards that port to 22 on the goflex.

i thought only the outer port mattered, but i will change them both to be safe.

thanks for the tip

[checktravis]

i think i found the problem, using astro file manager for sftp seems to create a lot of these new sessions, like every time you click on a folder.

i also found something about disabling pam_tally, so i tried editing $this->bbcode_second_pass_code('', '/etc/pam.d/system-login')

just commented out the first line:

$this->bbcode_second_pass_code('', '#auth required pam_tally.so onerr=succeed file=/var/log/faillog
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth')

that seemed to keep the ssh from crashing no matter how many sessions were created (exceeded the 64)

im reverting back the file to be safe, but is this a problem leaving it turned off like this?

[moonman]

If it's on a different port outside it doesn't matter then. They can't see port 22 open from the outside. Removing pam_tally shouldn't matter. It just counts logins and denies them if there are too many/too many failed. http://linux.die.net/man/8/pam_tally