Re: sshd buildup of CLOSE_WAIT leading to unable to function

Re: sshd buildup of CLOSE_WAIT leading to unable to function

[Joshua Hudson]

The interesting detail is it would always stop at exactly 64 sockets
open; which is the maximum number for which select() doesn't have to
spawn a second thread.

Problem disappeared. Given the traces I got the reproduction would
involve somebody's deranged trojan SSH scanner.

64 to too low for Fail2Ban to prevent disaster so I didn't bother. The
fools aren't getting in anyway. I turned off password auth.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd buildup of CLOSE_WAIT leading to unable to function

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 489 bytes --]

On Apr 11 09:07, Joshua Hudson wrote:
> The interesting detail is it would always stop at exactly 64 sockets
> open; which is the maximum number for which select() doesn't have to
> spawn a second thread.

Hmm, it doesn't.  All sockets given to select(2) are handled by a
single thread in Cygwin, even if more then 64.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

sshd buildup of CLOSE_WAIT leading to unable to function

[Joshua Hudson]

Hi. I'm getting a situation on one machine where sshd will fail to
accept connections in a way that says "connection refused" even though
it is listening. The server shows a large (58) number of connections
in CLOSE_WAIT.

A Google search leads me to
http://www.cygwin.com/ml/cygwin/2010-01/msg01235.html
and eventually to
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q198663
but I don't think that's right. Somebody else managed to this this in 2009
http://www.44342.com/ssh-f1158-t3789-p1.htm


Version:

OpenSSH_6.4p1, OpenSSL 1.0.1e 11 Feb 2013
CYGWIN_NT-6.1 redacted 1.7.25(0.270/5/3) 2013-08-31 20:37 x86_64 Cygwin

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd buildup of CLOSE_WAIT leading to unable to function

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 803 bytes --]

On Apr  1 13:38, Joshua Hudson wrote:
> Hi. I'm getting a situation on one machine where sshd will fail to
> accept connections in a way that says "connection refused" even though
> it is listening. The server shows a large (58) number of connections
> in CLOSE_WAIT.
> 
> A Google search leads me to
> http://www.cygwin.com/ml/cygwin/2010-01/msg01235.html
> and eventually to
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q198663
> but I don't think that's right. Somebody else managed to this this in 2009
> http://www.44342.com/ssh-f1158-t3789-p1.htm

BLODA?  See http://cygwin.com/faq/faq.html#faq.using.bloda


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: sshd buildup of CLOSE_WAIT leading to unable to function

[Joshua Hudson]

Sorry took so long to reply. Only reply was set to the mailing list
but not to me.

> BLODA?

No listed BLODA installed.

CLOSE_WAIT entries do not appear to build up from normal ssh use via
the cygwin ssh client. All CLOSE_WAIT entries show IP addresses not
ours. (Port is open on a public IP address. Only private key
authentication allowed.)

On 4/1/14, Joshua Hudson <joshudson@gmail.com> wrote:
> Hi. I'm getting a situation on one machine where sshd will fail to
> accept connections in a way that says "connection refused" even though
> it is listening. The server shows a large (58) number of connections
> in CLOSE_WAIT.
>
> A Google search leads me to
> http://www.cygwin.com/ml/cygwin/2010-01/msg01235.html
> and eventually to
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q198663
> but I don't think that's right. Somebody else managed to this this in 2009
> http://www.44342.com/ssh-f1158-t3789-p1.htm
>
>
> Version:
>
> OpenSSH_6.4p1, OpenSSL 1.0.1e 11 Feb 2013
> CYGWIN_NT-6.1 redacted 1.7.25(0.270/5/3) 2013-08-31 20:37 x86_64 Cygwin
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd buildup of CLOSE_WAIT leading to unable to function

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1081 bytes --]

On Apr  8 09:06, Joshua Hudson wrote:
> Sorry took so long to reply. Only reply was set to the mailing list
> but not to me.

That's the normal thing on mailing lists.

> > BLODA?
> 
> No listed BLODA installed.
> 
> CLOSE_WAIT entries do not appear to build up from normal ssh use via
> the cygwin ssh client. All CLOSE_WAIT entries show IP addresses not
> ours. (Port is open on a public IP address. Only private key
> authentication allowed.)

I can't reproduce this, sorry.

> > OpenSSH_6.4p1, OpenSSL 1.0.1e 11 Feb 2013
> > CYGWIN_NT-6.1 redacted 1.7.25(0.270/5/3) 2013-08-31 20:37 x86_64 Cygwin

For a start, you should update to the latest Cygwin and OpenSSH.  If you
can still reproduce this, we'll need something like a testcase.  58
CLOSE_WAIT connections in't that much btw.  It doesn't explain a
connection refused, unless you have lots and lots more open connections
at the time.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]