Welcome to novaBBS (click a section below)

mail files register newsreader groups login

Message-ID:

Emotions are alien to me. I'm a scientist. -- Spock, "This Side of Paradise", stardate 3417.3

There are too many sshd processes has been started on the server triggered by autossh.

Subject	Author
There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server triggered b	Spiros Bousbouras
Re: There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server triggered b	Spiros Bousbouras
Re: There are too many sshd processes has been started on the server triggered b	Eli the Bearded
Re: There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server	Grant Taylor
Re: There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server	Grant Taylor
Re: There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server	Grant Taylor
Re: There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server	Grant Taylor
Re: There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server	Grant Taylor
Re: There are too many sshd processes has been started on the	William Unruh
Re: There are too many sshd processes has been started on the server	Grant Taylor
Re: There are too many sshd processes has been started on the	William Unruh
Re: There are too many sshd processes has been started on the server	Grant Taylor
Re: There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server	hongy...@gmail.com
Re: There are too many sshd processes has been started on the server	Grant Taylor

Pages:12

There are too many sshd processes has been started on the server triggered by autossh.

<de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4540&group=comp.unix.shell#4540

copy link Newsgroups: comp.unix.shell

X-Received: by 2002:a05:620a:eca:: with SMTP id x10mr2496349qkm.312.1635412805620;
Thu, 28 Oct 2021 02:20:05 -0700 (PDT)
X-Received: by 2002:ac8:57c9:: with SMTP id w9mr3258004qta.254.1635412805454;
Thu, 28 Oct 2021 02:20:05 -0700 (PDT)
Path: i2pn2.org!rocksolid2!news.neodome.net!3.eu.feeder.erje.net!feeder.erje.net!newsfeed.xs4all.nl!newsfeed9.news.xs4all.nl!feeder1.cambriumusenet.nl!feed.tweak.nl!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.unix.shell
Date: Thu, 28 Oct 2021 02:20:05 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=178.128.104.170; posting-account=kF0ZaAoAAACPbiK5gldhAyX5qTd3krV2
NNTP-Posting-Host: 178.128.104.170
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
Subject: There are too many sshd processes has been started on the server
triggered by autossh.
From: hongyi.z...@gmail.com (hongy...@gmail.com)
Injection-Date: Thu, 28 Oct 2021 09:20:05 +0000
Content-Type: text/plain; charset="UTF-8"

by: hongy...@gmail.com - Thu, 28 Oct 2021 09:20 UTC

On client, I run the follownig command to create a ssh based remote port forwarding proxy:
$ autossh -M 0 -4 -NT \
-o ServerAliveInterval=30 \
-o "ServerAliveCountMax=3" \
-o "ExitOnForwardFailure=yes" \
-o StrictHostKeyChecking=no \
-R 21080:localhost:1080 \
-R 20022:localhost:22 \
werner@my.remote.server -p 2101

Then on the server side, I observed there are too many sshd processes has been started:
werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 196794 werner 12u IPv4 1409853 0t0 TCP *:20022 (LISTEN)
sshd 196794 werner 13u IPv6 1409854 0t0 TCP *:20022 (LISTEN)
sshd 196794 werner 50u IPv4 1411624 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:56586 (CLOSE_WAIT)
sshd 196794 werner 55u IPv4 1411630 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:38018 (ESTABLISHED)
sshd 196794 werner 60u IPv4 1411660 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:47680 (ESTABLISHED)
sshd 196794 werner 67u IPv4 1411668 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:57342 (ESTABLISHED)
sshd 196794 werner 70u IPv4 1411671 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:38772 (ESTABLISHED)
sshd 196794 werner 71u IPv4 1411672 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:48434 (ESTABLISHED)
sshd 196794 werner 74u IPv4 1411675 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:58096 (ESTABLISHED)
sshd 196794 werner 75u IPv4 1411711 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:39526 (ESTABLISHED)
sshd 196794 werner 87u IPv4 1411719 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:49188 (ESTABLISHED)
sshd 196794 werner 88u IPv4 1411721 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:58850 (ESTABLISHED)
sshd 196794 werner 89u IPv4 1411722 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:40280 (ESTABLISHED)
sshd 196794 werner 90u IPv4 1411761 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:49942 (ESTABLISHED)
sshd 196794 werner 91u IPv4 1411763 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:59604 (ESTABLISHED)
sshd 196794 werner 92u IPv4 1411764 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:41034 (ESTABLISHED)
sshd 196794 werner 93u IPv4 1411765 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:50696 (ESTABLISHED)
sshd 196794 werner 96u IPv4 1411768 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:60358 (ESTABLISHED)
sshd 196794 werner 97u IPv4 1411802 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:41788 (ESTABLISHED)
sshd 196794 werner 102u IPv4 1411807 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:51450 (ESTABLISHED)
sshd 196794 werner 103u IPv4 1411808 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:32880 (ESTABLISHED)
sshd 196794 werner 104u IPv4 1411809 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:42542 (ESTABLISHED)
sshd 196794 werner 105u IPv4 1411811 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:52206 (ESTABLISHED)
sshd 196794 werner 106u IPv4 1411852 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:33638 (ESTABLISHED)
sshd 196794 werner 107u IPv4 1411853 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:43300 (ESTABLISHED)
sshd 196794 werner 108u IPv4 1411854 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:52962 (ESTABLISHED)
sshd 196794 werner 109u IPv4 1411855 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:34392 (ESTABLISHED)
sshd 196794 werner 110u IPv4 1411856 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:44054 (ESTABLISHED)
sshd 196794 werner 111u IPv4 1411894 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:53716 (ESTABLISHED)
sshd 196794 werner 112u IPv4 1411895 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:35148 (ESTABLISHED)
sshd 196794 werner 113u IPv4 1411896 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:44810 (ESTABLISHED)
sshd 196794 werner 114u IPv4 1411897 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:54472 (ESTABLISHED)
sshd 196794 werner 115u IPv4 1411926 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:35906 (ESTABLISHED)
sshd 196794 werner 116u IPv4 1411927 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:45572 (ESTABLISHED)
sshd 196794 werner 117u IPv4 1411928 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:55234 (ESTABLISHED)
sshd 196794 werner 118u IPv4 1411929 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:36668 (ESTABLISHED)
sshd 196794 werner 119u IPv4 1411930 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:46330 (ESTABLISHED)
sshd 196794 werner 120u IPv4 1411956 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:55992 (ESTABLISHED)
sshd 196794 werner 121u IPv4 1411957 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:37422 (ESTABLISHED)
sshd 196794 werner 122u IPv4 1411958 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:47084 (ESTABLISHED)
sshd 196794 werner 123u IPv4 1411959 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:56746 (ESTABLISHED)
sshd 196794 werner 124u IPv4 1411960 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:38176 (ESTABLISHED)
sshd 196794 werner 125u IPv4 1412012 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:47838 (ESTABLISHED)
sshd 196794 werner 126u IPv4 1412013 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:57500 (ESTABLISHED)
sshd 196794 werner 127u IPv4 1412014 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:38930 (ESTABLISHED)
sshd 196794 werner 128u IPv4 1414997 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:48592 (ESTABLISHED)
sshd 196794 werner 129u IPv4 1416878 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:58252 (ESTABLISHED)
sshd 196794 werner 130u IPv4 1417151 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:39684 (ESTABLISHED)
sshd 196794 werner 131u IPv4 1417152 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:49346 (ESTABLISHED)
sshd 196794 werner 132u IPv4 1417153 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:59008 (ESTABLISHED)
sshd 196794 werner 133u IPv4 1418662 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:40438 (ESTABLISHED)
sshd 196794 werner 134u IPv4 1418702 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:50100 (ESTABLISHED)
sshd 196794 werner 135u IPv4 1418703 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:59762 (ESTABLISHED)
sshd 196794 werner 136u IPv4 1418704 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:41192 (ESTABLISHED)
sshd 196794 werner 137u IPv4 1418705 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:50854 (ESTABLISHED)
sshd 196794 werner 138u IPv4 1419023 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:60516 (ESTABLISHED)
sshd 196794 werner 139u IPv4 1419055 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:41946 (ESTABLISHED)
sshd 196794 werner 140u IPv4 1419056 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:51608 (ESTABLISHED)
sshd 196794 werner 141u IPv4 1419057 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:33040 (ESTABLISHED)
sshd 196794 werner 142u IPv4 1419058 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:42702 (ESTABLISHED)
sshd 196794 werner 143u IPv4 1419060 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:52370 (ESTABLISHED)
sshd 196794 werner 144u IPv4 1419090 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:33800 (ESTABLISHED)
sshd 196794 werner 145u IPv4 1419091 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:43462 (ESTABLISHED)
sshd 196794 werner 146u IPv4 1420396 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:53124 (ESTABLISHED)
sshd 196794 werner 147u IPv4 1420397 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:34554 (ESTABLISHED)
sshd 196794 werner 148u IPv4 1420428 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:44216 (ESTABLISHED)
sshd 196794 werner 149u IPv4 1420429 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:53878 (ESTABLISHED)
sshd 196794 werner 150u IPv4 1420430 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:35308 (ESTABLISHED)
sshd 196794 werner 151u IPv4 1420432 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:44970 (ESTABLISHED)
sshd 196794 werner 152u IPv4 1420433 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:54632 (ESTABLISHED)
sshd 196794 werner 153u IPv4 1420476 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:36062 (ESTABLISHED)
sshd 196794 werner 154u IPv4 1420477 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:45724 (ESTABLISHED)
sshd 196794 werner 155u IPv4 1420478 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:55386 (ESTABLISHED)
sshd 196794 werner 156u IPv4 1420479 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:36816 (ESTABLISHED)
sshd 196794 werner 157u IPv4 1420819 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:46478 (ESTABLISHED)
sshd 196794 werner 158u IPv4 1420848 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:56140 (ESTABLISHED)
sshd 196794 werner 159u IPv4 1420849 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:37570 (ESTABLISHED)
sshd 196794 werner 160u IPv4 1420850 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:47234 (ESTABLISHED)
sshd 196794 werner 161u IPv4 1420851 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:56896 (ESTABLISHED)
sshd 196794 werner 162u IPv4 1420880 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:38326 (ESTABLISHED)
sshd 196794 werner 163u IPv4 1420881 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:47988 (ESTABLISHED)
sshd 196794 werner 164u IPv4 1420882 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:57650 (ESTABLISHED)
sshd 196794 werner 165u IPv4 1420883 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:39080 (ESTABLISHED)
sshd 196794 werner 166u IPv4 1420884 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:48742 (ESTABLISHED)
sshd 196794 werner 167u IPv4 1420926 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:58404 (ESTABLISHED)
sshd 196794 werner 168u IPv4 1420927 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:39834 (ESTABLISHED)
sshd 196794 werner 169u IPv4 1420928 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:49496 (ESTABLISHED)
sshd 196794 werner 170u IPv4 1420930 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:59158 (ESTABLISHED)
sshd 196794 werner 171u IPv4 1420931 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:40588 (ESTABLISHED)
sshd 196794 werner 172u IPv4 1422370 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:50250 (ESTABLISHED)
sshd 196794 werner 173u IPv4 1422371 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:59912 (ESTABLISHED)
sshd 196794 werner 174u IPv4 1422373 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:41342 (ESTABLISHED)
sshd 196794 werner 175u IPv4 1422374 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:51004 (ESTABLISHED)
sshd 196794 werner 176u IPv4 1422375 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:60668 (ESTABLISHED)
sshd 196794 werner 177u IPv4 1422417 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:42098 (ESTABLISHED)
sshd 196794 werner 178u IPv4 1422418 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:51760 (ESTABLISHED)
sshd 196794 werner 179u IPv4 1422419 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:33190 (ESTABLISHED)
sshd 196794 werner 180u IPv4 1422421 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:42852 (ESTABLISHED)
sshd 196794 werner 181u IPv4 1422460 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:52514 (ESTABLISHED)
sshd 196794 werner 182u IPv4 1422461 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:33946 (ESTABLISHED)
sshd 196794 werner 183u IPv4 1422462 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:43608 (ESTABLISHED)
sshd 196794 werner 184u IPv4 1422468 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:53270 (ESTABLISHED)
sshd 196794 werner 185u IPv4 1422472 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:34700 (ESTABLISHED)
sshd 196794 werner 186u IPv4 1422500 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:44362 (ESTABLISHED)
sshd 196794 werner 187u IPv4 1422501 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:54024 (ESTABLISHED)
sshd 196794 werner 188u IPv4 1422502 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:35454 (ESTABLISHED)
sshd 196794 werner 189u IPv4 1422503 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:45116 (ESTABLISHED)
sshd 196794 werner 190u IPv4 1422504 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:54778 (ESTABLISHED)
sshd 196794 werner 193u IPv4 1422545 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:36208 (ESTABLISHED)
sshd 196794 werner 198u IPv4 1422800 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:45872 (ESTABLISHED)
sshd 196794 werner 202u IPv4 1422804 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:55534 (ESTABLISHED)
sshd 196794 werner 204u IPv4 1422806 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:36964 (ESTABLISHED)
sshd 196794 werner 205u IPv4 1422807 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:46626 (ESTABLISHED)
sshd 196794 werner 206u IPv4 1422835 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:56288 (ESTABLISHED)
sshd 196794 werner 207u IPv4 1422836 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:37718 (ESTABLISHED)
sshd 196794 werner 208u IPv4 1422837 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:47380 (ESTABLISHED)
sshd 196794 werner 217u IPv4 1422847 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:57042 (ESTABLISHED)
sshd 196794 werner 224u IPv4 1422880 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:38472 (ESTABLISHED)
sshd 196794 werner 225u IPv4 1422881 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:48134 (ESTABLISHED)
sshd 196794 werner 226u IPv4 1422882 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:57796 (ESTABLISHED)
sshd 196794 werner 227u IPv4 1423179 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:39226 (ESTABLISHED)
sshd 196794 werner 230u IPv4 1423214 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:48888 (ESTABLISHED)
sshd 196794 werner 231u IPv4 1423238 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:58554 (ESTABLISHED)
sshd 196794 werner 234u IPv4 1423262 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:39984 (ESTABLISHED)
sshd 196794 werner 235u IPv4 1424514 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->143.198.101.180:49646 (ESTABLISHED)

Click here to read the complete article

Re: There are too many sshd processes has been started on the server triggered by autossh.

<CirgRmSaft2BqciZe@bongo-ra.co>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4541&group=comp.unix.shell#4541

copy link Newsgroups: comp.unix.shell

Path: i2pn2.org!i2pn.org!aioe.org!NFyD4+LU+vfu+oVKTmfrbQ.user.46.165.242.91.POSTED!not-for-mail
From: spi...@gmail.com (Spiros Bousbouras)
Newsgroups: comp.unix.shell
Subject: Re: There are too many sshd processes has been started on the server triggered by autossh.
Date: Thu, 28 Oct 2021 11:18:11 -0000 (UTC)
Organization: Aioe.org NNTP Server
Message-ID: <CirgRmSaft2BqciZe@bongo-ra.co>
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Info: gioia.aioe.org; logging-data="577"; posting-host="NFyD4+LU+vfu+oVKTmfrbQ.user.gioia.aioe.org"; mail-complaints-to="abuse@aioe.org";
X-Server-Commands: nowebcancel
X-Organisation: Weyland-Yutani
X-Notice: Filtered by postfilter v. 0.9.2

by: Spiros Bousbouras - Thu, 28 Oct 2021 11:18 UTC

On Thu, 28 Oct 2021 02:20:05 -0700 (PDT)
"hongy...@gmail.com" <hongyi.zhao@gmail.com> wrote:
> On client, I run the follownig command to create a ssh based remote
> port forwarding proxy:
>
> $ autossh -M 0 -4 -NT \
> -o ServerAliveInterval=30 \
> -o "ServerAliveCountMax=3" \
> -o "ExitOnForwardFailure=yes" \
> -o StrictHostKeyChecking=no \
> -R 21080:localhost:1080 \
> -R 20022:localhost:22 \
> werner@my.remote.server -p 2101
>
> Then on the server side, I observed there are too many sshd processes
> has been started:
>
> werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022

Why do you need sudo to run lsof ?

> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> sshd 196794 werner 12u IPv4 1409853 0t0 TCP *:20022 (LISTEN)
> sshd 196794 werner 13u IPv6 1409854 0t0 TCP *:20022 (LISTEN)

[Rest of long output snipped]

In the whole output I only see one process with PID 196794.

Re: There are too many sshd processes has been started on the server triggered by autossh.

<0c5f0b22-c456-4b13-b906-839bffcf4276n@googlegroups.com>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4542&group=comp.unix.shell#4542

copy link Newsgroups: comp.unix.shell

X-Received: by 2002:ad4:5423:: with SMTP id g3mr3599162qvt.45.1635424323365;
Thu, 28 Oct 2021 05:32:03 -0700 (PDT)
X-Received: by 2002:ac8:7193:: with SMTP id w19mr4193086qto.311.1635424323054;
Thu, 28 Oct 2021 05:32:03 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.unix.shell
Date: Thu, 28 Oct 2021 05:32:02 -0700 (PDT)
In-Reply-To: <CirgRmSaft2BqciZe@bongo-ra.co>
Injection-Info: google-groups.googlegroups.com; posting-host=143.198.81.109; posting-account=kF0ZaAoAAACPbiK5gldhAyX5qTd3krV2
NNTP-Posting-Host: 143.198.81.109
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com> <CirgRmSaft2BqciZe@bongo-ra.co>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <0c5f0b22-c456-4b13-b906-839bffcf4276n@googlegroups.com>
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
From: hongyi.z...@gmail.com (hongy...@gmail.com)
Injection-Date: Thu, 28 Oct 2021 12:32:03 +0000
Content-Type: text/plain; charset="UTF-8"
Lines: 30

by: hongy...@gmail.com - Thu, 28 Oct 2021 12:32 UTC

On Thursday, October 28, 2021 at 7:18:17 PM UTC+8, Spiros Bousbouras wrote:
> On Thu, 28 Oct 2021 02:20:05 -0700 (PDT)
> "hongy...@gmail.com" <hongy...@gmail.com> wrote:
> > On client, I run the follownig command to create a ssh based remote
> > port forwarding proxy:
> >
> > $ autossh -M 0 -4 -NT \
> > -o ServerAliveInterval=30 \
> > -o "ServerAliveCountMax=3" \
> > -o "ExitOnForwardFailure=yes" \
> > -o StrictHostKeyChecking=no \
> > -R 21080:localhost:1080 \
> > -R 20022:localhost:22 \
> > wer...@my.remote.server -p 2101
> >
> > Then on the server side, I observed there are too many sshd processes
> > has been started:
> >
> > werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022
> Why do you need sudo to run lsof ?

This is my misuse :-(

> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> > sshd 196794 werner 12u IPv4 1409853 0t0 TCP *:20022 (LISTEN)
> > sshd 196794 werner 13u IPv6 1409854 0t0 TCP *:20022 (LISTEN)
> [Rest of long output snipped]
>
> In the whole output I only see one process with PID 196794.

I really not noticed that. I mean so many sshd entries belonging to the same process.

Re: There are too many sshd processes has been started on the server triggered by autossh.

<f2KuH2ceLWfhmL0VK@bongo-ra.co>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4543&group=comp.unix.shell#4543

copy link Newsgroups: comp.unix.shell

Path: i2pn2.org!i2pn.org!aioe.org!NFyD4+LU+vfu+oVKTmfrbQ.user.46.165.242.91.POSTED!not-for-mail
From: spi...@gmail.com (Spiros Bousbouras)
Newsgroups: comp.unix.shell
Subject: Re: There are too many sshd processes has been started on the server triggered by autossh.
Date: Thu, 28 Oct 2021 12:54:17 -0000 (UTC)
Organization: Aioe.org NNTP Server
Message-ID: <f2KuH2ceLWfhmL0VK@bongo-ra.co>
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com> <CirgRmSaft2BqciZe@bongo-ra.co> <0c5f0b22-c456-4b13-b906-839bffcf4276n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Info: gioia.aioe.org; logging-data="16472"; posting-host="NFyD4+LU+vfu+oVKTmfrbQ.user.gioia.aioe.org"; mail-complaints-to="abuse@aioe.org";
X-Notice: Filtered by postfilter v. 0.9.2
X-Server-Commands: nowebcancel
X-Organisation: Weyland-Yutani

by: Spiros Bousbouras - Thu, 28 Oct 2021 12:54 UTC

On Thu, 28 Oct 2021 05:32:02 -0700 (PDT)
"hongy...@gmail.com" <hongyi.zhao@gmail.com> wrote:
> On Thursday, October 28, 2021 at 7:18:17 PM UTC+8, Spiros Bousbouras wrote:
> > On Thu, 28 Oct 2021 02:20:05 -0700 (PDT)
> > "hongy...@gmail.com" <hongy...@gmail.com> wrote:
> > > On client, I run the follownig command to create a ssh based remote
> > > port forwarding proxy:
> > >
> > > $ autossh -M 0 -4 -NT \
> > > -o ServerAliveInterval=30 \
> > > -o "ServerAliveCountMax=3" \
> > > -o "ExitOnForwardFailure=yes" \
> > > -o StrictHostKeyChecking=no \
> > > -R 21080:localhost:1080 \
> > > -R 20022:localhost:22 \
> > > wer...@my.remote.server -p 2101
> > >
> > > Then on the server side, I observed there are too many sshd processes
> > > has been started:
> > >
> > > werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022
> > Why do you need sudo to run lsof ?
>
> This is my misuse :-(
>
> > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> > > sshd 196794 werner 12u IPv4 1409853 0t0 TCP *:20022 (LISTEN)
> > > sshd 196794 werner 13u IPv6 1409854 0t0 TCP *:20022 (LISTEN)
> > [Rest of long output snipped]
> >
> > In the whole output I only see one process with PID 196794.
>
> I really not noticed that. I mean so many sshd entries belonging to the
> same process.

If I understand correctly the output of lsof , it says that one sshd
process (with PID 196794) has made multiple connections. I confess that I
only have a vague idea as to what a "remote port forwarding proxy" does. Is
it implausible that it would open multiple connections ?

Re: There are too many sshd processes has been started on the server triggered by autossh.

<eli$2110281328@qaz.wtf>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4545&group=comp.unix.shell#4545

copy link Newsgroups: comp.unix.shell

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!panix!.POSTED.panix5.panix.com!qz!not-for-mail
From: *...@eli.users.panix.com (Eli the Bearded)
Newsgroups: comp.unix.shell
Subject: Re: There are too many sshd processes has been started on the server triggered by autossh.
Date: Thu, 28 Oct 2021 17:37:23 -0000 (UTC)
Organization: Some absurd concept
Message-ID: <eli$2110281328@qaz.wtf>
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com> <CirgRmSaft2BqciZe@bongo-ra.co> <0c5f0b22-c456-4b13-b906-839bffcf4276n@googlegroups.com> <f2KuH2ceLWfhmL0VK@bongo-ra.co>
Injection-Date: Thu, 28 Oct 2021 17:37:23 -0000 (UTC)
Injection-Info: reader1.panix.com; posting-host="panix5.panix.com:166.84.1.5";
logging-data="13454"; mail-complaints-to="abuse@panix.com"
User-Agent: Vectrex rn 2.1 (beta)
X-Liz: It's actually happened, the entire Internet is a massive game of Redcode
X-Motto: "Erosion of rights never seems to reverse itself." -- kenny@panix
X-US-Congress: Moronic Fucks.
X-Attribution: EtB
XFrom: is a real address
Encrypted: double rot-13

by: Eli the Bearded - Thu, 28 Oct 2021 17:37 UTC

In comp.unix.shell, Spiros Bousbouras <spibou@gmail.com> wrote:
[ "hongy...@gmail.com" <hongyi.zhao@gmail.com> wrote ]
>>>> $ autossh -M 0 -4 -NT \
>>>> -o ServerAliveInterval=30 \
>>>> -o "ServerAliveCountMax=3" \
>>>> -o "ExitOnForwardFailure=yes" \
>>>> -o StrictHostKeyChecking=no \
>>>> -R 21080:localhost:1080 \
>>>> -R 20022:localhost:22 \
....
> If I understand correctly the output of lsof , it says that one sshd
> process (with PID 196794) has made multiple connections. I confess that I
> only have a vague idea as to what a "remote port forwarding proxy" does. Is
> it implausible that it would open multiple connections ?

It is entirely plausible that something that acts as a port forwarding
agent would accept multiple connections on the same port to forward them
all. Looking at that, I suspect it is intended to forward ssh and web
traffic (1080 == SOCKS). One web browser will likely create a bunch of
connections for each page. If it has to wait to do those single file
browsing will be very slow. I conclude that opening multiple connections
very much an intended use.

Elijah
------
remembers writing single threaded proxies for studying http back in the day

Re: There are too many sshd processes has been started on the server triggered by autossh.

<slerhm$9pd$1@tncsrv09.home.tnetconsulting.net>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4546&group=comp.unix.shell#4546

copy link Newsgroups: comp.unix.shell

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.unix.shell
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
Date: Thu, 28 Oct 2021 12:47:26 -0600
Organization: TNet Consulting
Message-ID: <slerhm$9pd$1@tncsrv09.home.tnetconsulting.net>
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 28 Oct 2021 18:52:38 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="10029"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
Content-Language: en-US

by: Grant Taylor - Thu, 28 Oct 2021 18:47 UTC

On 10/28/21 3:20 AM, hongy...@gmail.com wrote:
> On client, I run the follownig command to create a ssh based remote
> port forwarding proxy:
>
> $ autossh -M 0 -4 -NT \
> -o ServerAliveInterval=30 \
> -o "ServerAliveCountMax=3" \
> -o "ExitOnForwardFailure=yes" \
> -o StrictHostKeyChecking=no \
> -R 21080:localhost:1080 \
> -R 20022:localhost:22 \
> werner@my.remote.server -p 2101
>
> Then on the server side, I observed there are too many sshd processes
> has been started:

As Spiros pointed out, they are all the same sshd process; 196794.

> werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

If I've tracked the topology correctly, those all look like
143.198.101.180 connected to port 20022 on the remote server which is
forwarded through SSH to port 22 on the client.

This seems like an SSH attack from 143.198.101.180 to me. Maybe
password guessing / brute forcing.

> And this will make SSH forwarding unavailable. Any hints for fixing
> this problem?

I'm guessing that you're either tripping a security feature (number of
total connections, number in a given time, number from a specific
source, etc.). I don't see how this would actually prevent the (remote)
port forwarding from working with SSH. This seems like a denial of
service type issue.

--
Grant. . . .
unix || die

Re: There are too many sshd processes has been started on the server triggered by autossh.

<74e55f7d-976e-493d-bc56-aa9de260117en@googlegroups.com>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4547&group=comp.unix.shell#4547

copy link Newsgroups: comp.unix.shell

X-Received: by 2002:a05:620a:4044:: with SMTP id i4mr6670688qko.301.1635471258826;
Thu, 28 Oct 2021 18:34:18 -0700 (PDT)
X-Received: by 2002:a05:6214:2588:: with SMTP id fq8mr7625877qvb.36.1635471258602;
Thu, 28 Oct 2021 18:34:18 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.unix.shell
Date: Thu, 28 Oct 2021 18:34:18 -0700 (PDT)
In-Reply-To: <slerhm$9pd$1@tncsrv09.home.tnetconsulting.net>
Injection-Info: google-groups.googlegroups.com; posting-host=143.198.81.115; posting-account=kF0ZaAoAAACPbiK5gldhAyX5qTd3krV2
NNTP-Posting-Host: 143.198.81.115
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com> <slerhm$9pd$1@tncsrv09.home.tnetconsulting.net>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <74e55f7d-976e-493d-bc56-aa9de260117en@googlegroups.com>
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
From: hongyi.z...@gmail.com (hongy...@gmail.com)
Injection-Date: Fri, 29 Oct 2021 01:34:18 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 42

by: hongy...@gmail.com - Fri, 29 Oct 2021 01:34 UTC

On Friday, October 29, 2021 at 2:47:16 AM UTC+8, Grant Taylor wrote:
> On 10/28/21 3:20 AM, hongy...@gmail.com wrote:
> > On client, I run the follownig command to create a ssh based remote
> > port forwarding proxy:
> >
> > $ autossh -M 0 -4 -NT \
> > -o ServerAliveInterval=30 \
> > -o "ServerAliveCountMax=3" \
> > -o "ExitOnForwardFailure=yes" \
> > -o StrictHostKeyChecking=no \
> > -R 21080:localhost:1080 \
> > -R 20022:localhost:22 \
> > wer...@my.remote.server -p 2101
> >
> > Then on the server side, I observed there are too many sshd processes
> > has been started:
> As Spiros pointed out, they are all the same sshd process; 196794.
> > werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022
> > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> If I've tracked the topology correctly, those all look like
> 143.198.101.180 connected to port 20022 on the remote server which is
> forwarded through SSH to port 22 on the client.
>
> This seems like an SSH attack from 143.198.101.180 to me. Maybe
> password guessing / brute forcing.
> > And this will make SSH forwarding unavailable. Any hints for fixing
> > this problem?
> I'm guessing that you're either tripping a security feature (number of
> total connections, number in a given time, number from a specific
> source, etc.). I don't see how this would actually prevent the (remote)
> port forwarding from working with SSH. This seems like a denial of
> service type issue.

Thank you for your in-depth analysis. Basically, my goal is to achieve intranet penetration without public IP. It seems that the ssh remote port forwarding method discussed here is not carefully designed for this purpose. So, maybe I should switch to zerotier-one [1].

[1] https://github.com/zerotier/ZeroTierOne

Re: There are too many sshd processes has been started on the server triggered by autossh.

<slg3nl$r10$1@tncsrv09.home.tnetconsulting.net>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4548&group=comp.unix.shell#4548

copy link Newsgroups: comp.unix.shell

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.unix.shell
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
Date: Fri, 29 Oct 2021 00:13:16 -0600
Organization: TNet Consulting
Message-ID: <slg3nl$r10$1@tncsrv09.home.tnetconsulting.net>
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<slerhm$9pd$1@tncsrv09.home.tnetconsulting.net>
<74e55f7d-976e-493d-bc56-aa9de260117en@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 29 Oct 2021 06:18:29 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="27680"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <74e55f7d-976e-493d-bc56-aa9de260117en@googlegroups.com>
Content-Language: en-US

by: Grant Taylor - Fri, 29 Oct 2021 06:13 UTC

On 10/28/21 7:34 PM, hongy...@gmail.com wrote:
> Thank you for your in-depth analysis.

You're welcome.

> Basically, my goal is to achieve intranet penetration without public
> IP.

Okay. That seems sensible enough.

I take it that you do have access to a system with a globally routed IP
that you are able to use some ports on to get traffic into your
system(s) without a globally routed IP.

I've done similar with SSH many times before.

> It seems that the ssh remote port forwarding method discussed here
> is not carefully designed for this purpose.

I wouldn't say that.

I'd be more apt to suspect some sort of rate limiting elsewhere that was
interfering with connections and that SSH itself wasn't the problem.
I've push a LOT of things through a LOT of crazy SSH configurations.
Remote port forwarding is about the most mundane thing that I've done.

A firewall on the remote system may be filtering additional incoming
connections. A VPS / hosting provider may be filtering the number of
outgoing packets form a system. A firewall on the internal system (ssh
client) may be filtering things. I'm fairly certain that you can even
configure OpenSSH to rate limit connections, including source IP. There
are a number of things that could be interfering before SSH becoming the
actual problem.

> So, maybe I should switch to zerotier-one [1].

I spent a few minutes looking at ZeroTier-One. The website (as opposed
to the content) looks ... polished. They seem to be using a lot of buzz
words. Many of them are used in context and correctly. What I don't
see in about five minutes time is any hint at the technology behind
their solution. So I find myself being extremely skeptical of what they
have to offer.

I would spend about 10 times the effort on SSH before spending any on
ZeroTier-One or anything that seems care sales tactics to me.

--
Grant. . . .
unix || die

Re: There are too many sshd processes has been started on the server triggered by autossh.

<slgfnm$qld$1@dont-email.me>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4549&group=comp.unix.shell#4549

copy link Newsgroups: comp.unix.shell

Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.unix.shell
Subject: Re: There are too many sshd processes has been started on the
server triggered by autossh.
Date: Fri, 29 Oct 2021 09:43:18 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 16
Message-ID: <slgfnm$qld$1@dont-email.me>
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<slerhm$9pd$1@tncsrv09.home.tnetconsulting.net>
<74e55f7d-976e-493d-bc56-aa9de260117en@googlegroups.com>
<slg3nl$r10$1@tncsrv09.home.tnetconsulting.net>
Injection-Date: Fri, 29 Oct 2021 09:43:18 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="fb046927f8aa82df875f716fc8a63df9";
logging-data="27309"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX198krRNqfbPcXlG+DPDCrLB"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:ej8HobPlhBBmp4L/nTGh5FovTkc=

by: William Unruh - Fri, 29 Oct 2021 09:43 UTC

On 2021-10-29, Grant Taylor <gtaylor@tnetconsulting.net> wrote:
> On 10/28/21 7:34 PM, hongy...@gmail.com wrote:
......
>
>> So, maybe I should switch to zerotier-one [1].
>
> I spent a few minutes looking at ZeroTier-One. The website (as opposed
> to the content) looks ... polished. They seem to be using a lot of buzz
> words. Many of them are used in context and correctly. What I don't
> see in about five minutes time is any hint at the technology behind
> their solution. So I find myself being extremely skeptical of what they
> have to offer.

Of course the technology could just be ssh port forwarding hidden behind
proprietary cover.

Re: There are too many sshd processes has been started on the server triggered by autossh.

<slh87q$emk$1@tncsrv09.home.tnetconsulting.net>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4550&group=comp.unix.shell#4550

copy link Newsgroups: comp.unix.shell

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.unix.shell
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
Date: Fri, 29 Oct 2021 10:36:15 -0600
Organization: TNet Consulting
Message-ID: <slh87q$emk$1@tncsrv09.home.tnetconsulting.net>
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<slerhm$9pd$1@tncsrv09.home.tnetconsulting.net>
<74e55f7d-976e-493d-bc56-aa9de260117en@googlegroups.com>
<slg3nl$r10$1@tncsrv09.home.tnetconsulting.net> <slgfnm$qld$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 29 Oct 2021 16:41:30 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="15060"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <slgfnm$qld$1@dont-email.me>
Content-Language: en-US

by: Grant Taylor - Fri, 29 Oct 2021 16:36 UTC

On 10/29/21 3:43 AM, William Unruh wrote:
> Of course the technology could just be ssh port forwarding hidden
> behind proprietary cover.

I'm fairly certain that ZeroTier-One is not using /just/ ssh port
forwarding.

I say this because of what ssh's port forwarding does vs what
ZeroTier-One claims they do. First, ssh's port forwarding is inherently
a singular port, hence it's name. Second, ZeroTier-One claims to
emulate an Ethernet LAN of connected system, which means that it's an L2
connection. Port forwarding and L2 connections are considerably
different. Third, the "just works" comments indicate that there is a
lot more automagic / discovery that happens behind the scenes.

Yes, ssh can forward multiple ports, but that's additional configuration.

Yes, ssh can create an L2 VPN tunnel, but that's a lot of additional
configuration. The emulated Ethernet LAN would also require bridging
multiple L2 VPN tunnels together, something that's decidedly outside of
ssh's purview.

I'm not aware of any ssh support for auto-discovery / auto-configuration
beyond DNSSEC protected SSHFP keys or certificates from a trusted SSH
root CA.

I think that there is a lot more going on under the hood behind
ZeroTier-One than meets the eye. I think it's more in the realm of SDN
and further away from ssh. It may use ssh as part of it's technology
stack, but I wouldn't bet a cup of coffee that it does. In fact I'd bet
a cup of coffee that it does not use ssh as part of it's technology stack.

--
Grant. . . .
unix || die

Re: There are too many sshd processes has been started on the server triggered by autossh.

<slhhh6$hvk$1@dont-email.me>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4551&group=comp.unix.shell#4551

copy link Newsgroups: comp.unix.shell

Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.unix.shell
Subject: Re: There are too many sshd processes has been started on the
server triggered by autossh.
Date: Fri, 29 Oct 2021 19:20:06 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 38
Message-ID: <slhhh6$hvk$1@dont-email.me>
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<slerhm$9pd$1@tncsrv09.home.tnetconsulting.net>
<74e55f7d-976e-493d-bc56-aa9de260117en@googlegroups.com>
<slg3nl$r10$1@tncsrv09.home.tnetconsulting.net>
<slgfnm$qld$1@dont-email.me>
<slh87q$emk$1@tncsrv09.home.tnetconsulting.net>
Injection-Date: Fri, 29 Oct 2021 19:20:06 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="fb046927f8aa82df875f716fc8a63df9";
logging-data="18420"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19u6JXsQgdI8ewwDvn2QVlt"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:8YsSCtwdiLnF9EV6go7+QuRTBwg=

by: William Unruh - Fri, 29 Oct 2021 19:20 UTC

On 2021-10-29, Grant Taylor <gtaylor@tnetconsulting.net> wrote:
> On 10/29/21 3:43 AM, William Unruh wrote:
>> Of course the technology could just be ssh port forwarding hidden
>> behind proprietary cover.
>
> I'm fairly certain that ZeroTier-One is not using /just/ ssh port
> forwarding.
>
> I say this because of what ssh's port forwarding does vs what
> ZeroTier-One claims they do. First, ssh's port forwarding is inherently
> a singular port, hence it's name. Second, ZeroTier-One claims to
> emulate an Ethernet LAN of connected system, which means that it's an L2
> connection. Port forwarding and L2 connections are considerably
> different. Third, the "just works" comments indicate that there is a
> lot more automagic / discovery that happens behind the scenes.
>
> Yes, ssh can forward multiple ports, but that's additional configuration.
>
> Yes, ssh can create an L2 VPN tunnel, but that's a lot of additional
> configuration. The emulated Ethernet LAN would also require bridging
> multiple L2 VPN tunnels together, something that's decidedly outside of
> ssh's purview.
>
> I'm not aware of any ssh support for auto-discovery / auto-configuration
> beyond DNSSEC protected SSHFP keys or certificates from a trusted SSH
> root CA.
>
> I think that there is a lot more going on under the hood behind
> ZeroTier-One than meets the eye. I think it's more in the realm of SDN
> and further away from ssh. It may use ssh as part of it's technology
> stack, but I wouldn't bet a cup of coffee that it does. In fact I'd bet
> a cup of coffee that it does not use ssh as part of it's technology stack.

What Marketing says and what the technical reality is can be very far
apart. All we have is the marketing in this case it seems.
>
>
>

Re: There are too many sshd processes has been started on the server triggered by autossh.

<slhnq4$nte$1@tncsrv09.home.tnetconsulting.net>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4552&group=comp.unix.shell#4552

copy link Newsgroups: comp.unix.shell

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.unix.shell
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
Date: Fri, 29 Oct 2021 15:02:01 -0600
Organization: TNet Consulting
Message-ID: <slhnq4$nte$1@tncsrv09.home.tnetconsulting.net>
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<slerhm$9pd$1@tncsrv09.home.tnetconsulting.net>
<74e55f7d-976e-493d-bc56-aa9de260117en@googlegroups.com>
<slg3nl$r10$1@tncsrv09.home.tnetconsulting.net> <slgfnm$qld$1@dont-email.me>
<slh87q$emk$1@tncsrv09.home.tnetconsulting.net> <slhhh6$hvk$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 29 Oct 2021 21:07:16 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="24494"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <slhhh6$hvk$1@dont-email.me>
Content-Language: en-US

by: Grant Taylor - Fri, 29 Oct 2021 21:02 UTC

On 10/29/21 1:20 PM, William Unruh wrote:
> What Marketing says and what the technical reality is can be very
> far apart. All we have is the marketing in this case it seems.

Agreed.

In my experience, when the public information is disproportionately
marketing, that's because the technical information has been withheld on
purpose. Almost every time it's because the technical information
wouldn't support the weight of the marketing information.

--
Grant. . . .
unix || die

Re: There are too many sshd processes has been started on the server triggered by autossh.

<92ef0dac-cb3e-4aa8-9fd5-cd27a958fa1bn@googlegroups.com>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4553&group=comp.unix.shell#4553

copy link Newsgroups: comp.unix.shell

X-Received: by 2002:a05:622a:1cd:: with SMTP id t13mr2514084qtw.35.1635567723050;
Fri, 29 Oct 2021 21:22:03 -0700 (PDT)
X-Received: by 2002:a0c:ef03:: with SMTP id t3mr13017146qvr.32.1635567722887;
Fri, 29 Oct 2021 21:22:02 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.unix.shell
Date: Fri, 29 Oct 2021 21:22:02 -0700 (PDT)
In-Reply-To: <0c5f0b22-c456-4b13-b906-839bffcf4276n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=60.249.28.128; posting-account=kF0ZaAoAAACPbiK5gldhAyX5qTd3krV2
NNTP-Posting-Host: 60.249.28.128
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<CirgRmSaft2BqciZe@bongo-ra.co> <0c5f0b22-c456-4b13-b906-839bffcf4276n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <92ef0dac-cb3e-4aa8-9fd5-cd27a958fa1bn@googlegroups.com>
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
From: hongyi.z...@gmail.com (hongy...@gmail.com)
Injection-Date: Sat, 30 Oct 2021 04:22:03 +0000
Content-Type: text/plain; charset="UTF-8"
Lines: 48

by: hongy...@gmail.com - Sat, 30 Oct 2021 04:22 UTC

On Thursday, October 28, 2021 at 8:32:06 PM UTC+8, hongy...@gmail.com wrote:
> On Thursday, October 28, 2021 at 7:18:17 PM UTC+8, Spiros Bousbouras wrote:
> > On Thu, 28 Oct 2021 02:20:05 -0700 (PDT)
> > "hongy...@gmail.com" <hongy...@gmail.com> wrote:
> > > On client, I run the follownig command to create a ssh based remote
> > > port forwarding proxy:
> > >
> > > $ autossh -M 0 -4 -NT \
> > > -o ServerAliveInterval=30 \
> > > -o "ServerAliveCountMax=3" \
> > > -o "ExitOnForwardFailure=yes" \
> > > -o StrictHostKeyChecking=no \
> > > -R 21080:localhost:1080 \
> > > -R 20022:localhost:22 \
> > > wer...@my.remote.server -p 2101
> > >
> > > Then on the server side, I observed there are too many sshd processes
> > > has been started:
> > >
> > > werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022
> > Why do you need sudo to run lsof ?
> This is my misuse :-(

Based on my further tries, only the sudo can display the results:

werner@Standard-PC-i440FX-PIIX-1996:~$ lsof -i :20022
werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 417861 werner 12u IPv4 3063124 0t0 TCP *:20022 (LISTEN)
sshd 417861 werner 13u IPv6 3063125 0t0 TCP *:20022 (LISTEN)
sshd 417861 werner 14u IPv4 3092408 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->OpenWrt.lan:47194 (CLOSE_WAIT)
sshd 417861 werner 15u IPv4 3093870 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->OpenWrt.lan:60730 (CLOSE_WAIT)
sshd 417861 werner 16u IPv4 3099227 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->OpenWrt.lan:36974 (CLOSE_WAIT)
werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :21080
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 417861 werner 10u IPv4 3063120 0t0 TCP *:21080 (LISTEN)
sshd 417861 werner 11u IPv6 3063121 0t0 TCP *:21080 (LISTEN)
werner@Standard-PC-i440FX-PIIX-1996:~$ lsof -i :21080
werner@Standard-PC-i440FX-PIIX-1996:~$

> > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> > > sshd 196794 werner 12u IPv4 1409853 0t0 TCP *:20022 (LISTEN)
> > > sshd 196794 werner 13u IPv6 1409854 0t0 TCP *:20022 (LISTEN)
> > [Rest of long output snipped]
> >
> > In the whole output I only see one process with PID 196794.
> I really not noticed that. I mean so many sshd entries belonging to the same process.

Re: There are too many sshd processes has been started on the server triggered by autossh.

<c55ab9f8-79b3-4e3d-a029-bb13473b9d9dn@googlegroups.com>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4554&group=comp.unix.shell#4554

copy link Newsgroups: comp.unix.shell

X-Received: by 2002:a05:6214:f2e:: with SMTP id iw14mr5691018qvb.21.1635569146034;
Fri, 29 Oct 2021 21:45:46 -0700 (PDT)
X-Received: by 2002:a05:622a:249:: with SMTP id c9mr8548733qtx.231.1635569145895;
Fri, 29 Oct 2021 21:45:45 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.unix.shell
Date: Fri, 29 Oct 2021 21:45:45 -0700 (PDT)
In-Reply-To: <92ef0dac-cb3e-4aa8-9fd5-cd27a958fa1bn@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=103.149.249.35; posting-account=kF0ZaAoAAACPbiK5gldhAyX5qTd3krV2
NNTP-Posting-Host: 103.149.249.35
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<CirgRmSaft2BqciZe@bongo-ra.co> <0c5f0b22-c456-4b13-b906-839bffcf4276n@googlegroups.com>
<92ef0dac-cb3e-4aa8-9fd5-cd27a958fa1bn@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <c55ab9f8-79b3-4e3d-a029-bb13473b9d9dn@googlegroups.com>
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
From: hongyi.z...@gmail.com (hongy...@gmail.com)
Injection-Date: Sat, 30 Oct 2021 04:45:46 +0000
Content-Type: text/plain; charset="UTF-8"
Lines: 57

by: hongy...@gmail.com - Sat, 30 Oct 2021 04:45 UTC

On Saturday, October 30, 2021 at 12:22:05 PM UTC+8, hongy...@gmail.com wrote:
> On Thursday, October 28, 2021 at 8:32:06 PM UTC+8, hongy...@gmail.com wrote:
> > On Thursday, October 28, 2021 at 7:18:17 PM UTC+8, Spiros Bousbouras wrote:
> > > On Thu, 28 Oct 2021 02:20:05 -0700 (PDT)
> > > "hongy...@gmail.com" <hongy...@gmail.com> wrote:
> > > > On client, I run the follownig command to create a ssh based remote
> > > > port forwarding proxy:
> > > >
> > > > $ autossh -M 0 -4 -NT \
> > > > -o ServerAliveInterval=30 \
> > > > -o "ServerAliveCountMax=3" \
> > > > -o "ExitOnForwardFailure=yes" \
> > > > -o StrictHostKeyChecking=no \
> > > > -R 21080:localhost:1080 \
> > > > -R 20022:localhost:22 \
> > > > wer...@my.remote.server -p 2101
> > > >
> > > > Then on the server side, I observed there are too many sshd processes
> > > > has been started:
> > > >
> > > > werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022
> > > Why do you need sudo to run lsof ?
> > This is my misuse :-(
> Based on my further tries, only the sudo can display the results:
>
> werner@Standard-PC-i440FX-PIIX-1996:~$ lsof -i :20022
> werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> sshd 417861 werner 12u IPv4 3063124 0t0 TCP *:20022 (LISTEN)
> sshd 417861 werner 13u IPv6 3063125 0t0 TCP *:20022 (LISTEN)
> sshd 417861 werner 14u IPv4 3092408 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->OpenWrt.lan:47194 (CLOSE_WAIT)
> sshd 417861 werner 15u IPv4 3093870 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->OpenWrt.lan:60730 (CLOSE_WAIT)
> sshd 417861 werner 16u IPv4 3099227 0t0 TCP Standard-PC-i440FX-PIIX-1996.lan:20022->OpenWrt.lan:36974 (CLOSE_WAIT)
> werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :21080
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> sshd 417861 werner 10u IPv4 3063120 0t0 TCP *:21080 (LISTEN)
> sshd 417861 werner 11u IPv6 3063121 0t0 TCP *:21080 (LISTEN)
> werner@Standard-PC-i440FX-PIIX-1996:~$ lsof -i :21080
> werner@Standard-PC-i440FX-PIIX-1996:~$

Basically, when the problem happens, I will see a lot of the following information:

$ sudo ss --tcp state CLOSE-WAIT '( sport = 20022 or dst 192.168.10.1 )'
Recv-Q Send-Q Local Address:Port Peer Address:Port Process
42 0 192.168.10.101:20022 192.168.10.1:60930
42 0 192.168.10.101:20022 192.168.10.1:32776
42 0 192.168.10.101:20022 192.168.10.1:60956

Here, 192.168.10.1 is the intranet gateway interface on the router, which has a dynamic public IP address. And 192.168.10.101 is the intranet host which running sshd to do the ssh remote forwarding.

> > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> > > > sshd 196794 werner 12u IPv4 1409853 0t0 TCP *:20022 (LISTEN)
> > > > sshd 196794 werner 13u IPv6 1409854 0t0 TCP *:20022 (LISTEN)
> > > [Rest of long output snipped]
> > >
> > > In the whole output I only see one process with PID 196794.
> > I really not noticed that. I mean so many sshd entries belonging to the same process.

Re: There are too many sshd processes has been started on the server triggered by autossh.

<d6f0e1b9-60be-49d5-a2db-96d22b0bf84fn@googlegroups.com>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4555&group=comp.unix.shell#4555

copy link Newsgroups: comp.unix.shell

X-Received: by 2002:ac8:5e08:: with SMTP id h8mr16640432qtx.66.1635572333679;
Fri, 29 Oct 2021 22:38:53 -0700 (PDT)
X-Received: by 2002:a0c:9d05:: with SMTP id m5mr14798068qvf.30.1635572333571;
Fri, 29 Oct 2021 22:38:53 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.unix.shell
Date: Fri, 29 Oct 2021 22:38:53 -0700 (PDT)
In-Reply-To: <74e55f7d-976e-493d-bc56-aa9de260117en@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=128.199.66.218; posting-account=kF0ZaAoAAACPbiK5gldhAyX5qTd3krV2
NNTP-Posting-Host: 128.199.66.218
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<slerhm$9pd$1@tncsrv09.home.tnetconsulting.net> <74e55f7d-976e-493d-bc56-aa9de260117en@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <d6f0e1b9-60be-49d5-a2db-96d22b0bf84fn@googlegroups.com>
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
From: hongyi.z...@gmail.com (hongy...@gmail.com)
Injection-Date: Sat, 30 Oct 2021 05:38:53 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 54

by: hongy...@gmail.com - Sat, 30 Oct 2021 05:38 UTC

On Friday, October 29, 2021 at 9:34:21 AM UTC+8, hongy...@gmail.com wrote:
> On Friday, October 29, 2021 at 2:47:16 AM UTC+8, Grant Taylor wrote:
> > On 10/28/21 3:20 AM, hongy...@gmail.com wrote:
> > > On client, I run the follownig command to create a ssh based remote
> > > port forwarding proxy:
> > >
> > > $ autossh -M 0 -4 -NT \
> > > -o ServerAliveInterval=30 \
> > > -o "ServerAliveCountMax=3" \
> > > -o "ExitOnForwardFailure=yes" \
> > > -o StrictHostKeyChecking=no \
> > > -R 21080:localhost:1080 \
> > > -R 20022:localhost:22 \
> > > wer...@my.remote.server -p 2101
> > >
> > > Then on the server side, I observed there are too many sshd processes
> > > has been started:
> > As Spiros pointed out, they are all the same sshd process; 196794.
> > > werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022
> > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> > If I've tracked the topology correctly, those all look like
> > 143.198.101.180 connected to port 20022 on the remote server which is
> > forwarded through SSH to port 22 on the client.
> >
> > This seems like an SSH attack from 143.198.101.180 to me. Maybe
> > password guessing / brute forcing.
> > > And this will make SSH forwarding unavailable. Any hints for fixing
> > > this problem?
> > I'm guessing that you're either tripping a security feature (number of
> > total connections, number in a given time, number from a specific
> > source, etc.). I don't see how this would actually prevent the (remote)
> > port forwarding from working with SSH. This seems like a denial of
> > service type issue.
> Thank you for your in-depth analysis. Basically, my goal is to achieve intranet penetration without public IP. It seems that the ssh remote port forwarding method discussed here is not carefully designed for this purpose. So, maybe I should switch to zerotier-one [1].
>
> [1] https://github.com/zerotier/ZeroTierOne

I find another wonderful website which collected and organized most of the open-source tools on this topic:

https://book.hacktricks.xyz/tunneling-and-port-forwarding

I'm currently studying the following tools mentioned by the above website:

https://github.com/jpillora/chisel
https://github.com/sshuttle/sshuttle

Re: There are too many sshd processes has been started on the server triggered by autossh.

<9cded768-2175-4d01-9955-30e8a437c929n@googlegroups.com>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4557&group=comp.unix.shell#4557

copy link Newsgroups: comp.unix.shell

X-Received: by 2002:a05:622a:14:: with SMTP id x20mr17794719qtw.372.1635585399661;
Sat, 30 Oct 2021 02:16:39 -0700 (PDT)
X-Received: by 2002:ac8:57c9:: with SMTP id w9mr17330018qta.254.1635585399509;
Sat, 30 Oct 2021 02:16:39 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.unix.shell
Date: Sat, 30 Oct 2021 02:16:39 -0700 (PDT)
In-Reply-To: <d6f0e1b9-60be-49d5-a2db-96d22b0bf84fn@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=143.198.81.128; posting-account=kF0ZaAoAAACPbiK5gldhAyX5qTd3krV2
NNTP-Posting-Host: 143.198.81.128
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<slerhm$9pd$1@tncsrv09.home.tnetconsulting.net> <74e55f7d-976e-493d-bc56-aa9de260117en@googlegroups.com>
<d6f0e1b9-60be-49d5-a2db-96d22b0bf84fn@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <9cded768-2175-4d01-9955-30e8a437c929n@googlegroups.com>
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
From: hongyi.z...@gmail.com (hongy...@gmail.com)
Injection-Date: Sat, 30 Oct 2021 09:16:39 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

by: hongy...@gmail.com - Sat, 30 Oct 2021 09:16 UTC

On Saturday, October 30, 2021 at 1:38:55 PM UTC+8, hongy...@gmail.com wrote:
> On Friday, October 29, 2021 at 9:34:21 AM UTC+8, hongy...@gmail.com wrote:
> > On Friday, October 29, 2021 at 2:47:16 AM UTC+8, Grant Taylor wrote:
> > > On 10/28/21 3:20 AM, hongy...@gmail.com wrote:
> > > > On client, I run the follownig command to create a ssh based remote
> > > > port forwarding proxy:
> > > >
> > > > $ autossh -M 0 -4 -NT \
> > > > -o ServerAliveInterval=30 \
> > > > -o "ServerAliveCountMax=3" \
> > > > -o "ExitOnForwardFailure=yes" \
> > > > -o StrictHostKeyChecking=no \
> > > > -R 21080:localhost:1080 \
> > > > -R 20022:localhost:22 \
> > > > wer...@my.remote.server -p 2101
> > > >
> > > > Then on the server side, I observed there are too many sshd processes
> > > > has been started:
> > > As Spiros pointed out, they are all the same sshd process; 196794.
> > > > werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022
> > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> > > If I've tracked the topology correctly, those all look like
> > > 143.198.101.180 connected to port 20022 on the remote server which is
> > > forwarded through SSH to port 22 on the client.
> > >
> > > This seems like an SSH attack from 143.198.101.180 to me. Maybe
> > > password guessing / brute forcing.
> > > > And this will make SSH forwarding unavailable. Any hints for fixing
> > > > this problem?
> > > I'm guessing that you're either tripping a security feature (number of
> > > total connections, number in a given time, number from a specific
> > > source, etc.). I don't see how this would actually prevent the (remote)
> > > port forwarding from working with SSH. This seems like a denial of
> > > service type issue.
> > Thank you for your in-depth analysis. Basically, my goal is to achieve intranet penetration without public IP. It seems that the ssh remote port forwarding method discussed here is not carefully designed for this purpose. So, maybe I should switch to zerotier-one [1].
> >
> > [1] https://github.com/zerotier/ZeroTierOne
> I find another wonderful website which collected and organized most of the open-source tools on this topic:
>
> https://book.hacktricks.xyz/tunneling-and-port-forwarding

The author's GitHub repository is here:

https://github.com/carlospolop/hacktricks.git

> I'm currently studying the following tools mentioned by the above website:
>
> https://github.com/jpillora/chisel
> https://github.com/sshuttle/sshuttle

Re: There are too many sshd processes has been started on the server triggered by autossh.

<slkki0$ace$1@tncsrv09.home.tnetconsulting.net>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4560&group=comp.unix.shell#4560

copy link Newsgroups: comp.unix.shell

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.unix.shell
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
Date: Sat, 30 Oct 2021 17:24:52 -0600
Organization: TNet Consulting
Message-ID: <slkki0$ace$1@tncsrv09.home.tnetconsulting.net>
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<CirgRmSaft2BqciZe@bongo-ra.co>
<0c5f0b22-c456-4b13-b906-839bffcf4276n@googlegroups.com>
<92ef0dac-cb3e-4aa8-9fd5-cd27a958fa1bn@googlegroups.com>
<c55ab9f8-79b3-4e3d-a029-bb13473b9d9dn@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 30 Oct 2021 23:30:08 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="10638"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <c55ab9f8-79b3-4e3d-a029-bb13473b9d9dn@googlegroups.com>
Content-Language: en-US

by: Grant Taylor - Sat, 30 Oct 2021 23:24 UTC

On 10/29/21 10:45 PM, hongy...@gmail.com wrote:
> Basically, when the problem happens, I will see a lot of the following
> information:

How many is "a lot of"? 10s, 100s, 1,000s? You may be running out
available sockets. There are all sorts of tunables around how long
stocks stay in CLOSE-WAIT and related states. The idea is turn over the
sockets faster.

> $ sudo ss --tcp state CLOSE-WAIT '( sport = 20022 or dst 192.168.10.1 )'
> Recv-Q Send-Q Local Address:Port Peer Address:Port Process
> 42 0 192.168.10.101:20022 192.168.10.1:60930
> 42 0 192.168.10.101:20022 192.168.10.1:32776
> 42 0 192.168.10.101:20022 192.168.10.1:60956
>
> Here, 192.168.10.1 is the intranet gateway interface on the router,
> which has a dynamic public IP address. And 192.168.10.101 is the
> intranet host which running sshd to do the ssh remote forwarding.

Why is your internal system seeing the intranet gateway as the (remote)
source IP? I would expect it to see the real (remote) client's IP
address. This hints at a different configuration that I would not use
unless I had to.

Traditional port forwarding usually shows the real (remote) client's IP
address, not the intranet gateway's IP address. This makes me think
that the intranet gateway is SNATing incoming traffic to it's own IP. I
would not do that unless I had a very specific reason to do so.

--
Grant. . . .
unix || die

Re: There are too many sshd processes has been started on the server triggered by autossh.

<a0eb3a89-5a50-40db-a523-52980c578e4bn@googlegroups.com>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4561&group=comp.unix.shell#4561

copy link Newsgroups: comp.unix.shell

X-Received: by 2002:ac8:7d47:: with SMTP id h7mr21275288qtb.92.1635645137515;
Sat, 30 Oct 2021 18:52:17 -0700 (PDT)
X-Received: by 2002:a0c:f942:: with SMTP id i2mr5703215qvo.51.1635645137368;
Sat, 30 Oct 2021 18:52:17 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.unix.shell
Date: Sat, 30 Oct 2021 18:52:17 -0700 (PDT)
In-Reply-To: <slkki0$ace$1@tncsrv09.home.tnetconsulting.net>
Injection-Info: google-groups.googlegroups.com; posting-host=54.180.135.214; posting-account=kF0ZaAoAAACPbiK5gldhAyX5qTd3krV2
NNTP-Posting-Host: 54.180.135.214
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<CirgRmSaft2BqciZe@bongo-ra.co> <0c5f0b22-c456-4b13-b906-839bffcf4276n@googlegroups.com>
<92ef0dac-cb3e-4aa8-9fd5-cd27a958fa1bn@googlegroups.com> <c55ab9f8-79b3-4e3d-a029-bb13473b9d9dn@googlegroups.com>
<slkki0$ace$1@tncsrv09.home.tnetconsulting.net>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <a0eb3a89-5a50-40db-a523-52980c578e4bn@googlegroups.com>
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
From: hongyi.z...@gmail.com (hongy...@gmail.com)
Injection-Date: Sun, 31 Oct 2021 01:52:17 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

by: hongy...@gmail.com - Sun, 31 Oct 2021 01:52 UTC

On Sunday, October 31, 2021 at 7:24:41 AM UTC+8, Grant Taylor wrote:
> On 10/29/21 10:45 PM, hongy...@gmail.com wrote:
> > Basically, when the problem happens, I will see a lot of the following
> > information:
> How many is "a lot of"? 10s, 100s, 1,000s? You may be running out
> available sockets. There are all sorts of tunables around how long
> stocks stay in CLOSE-WAIT and related states. The idea is turn over the
> sockets faster.
> > $ sudo ss --tcp state CLOSE-WAIT '( sport = 20022 or dst 192.168.10.1 )'
> > Recv-Q Send-Q Local Address:Port Peer Address:Port Process
> > 42 0 192.168.10.101:20022 192.168.10.1:60930
> > 42 0 192.168.10.101:20022 192.168.10.1:32776
> > 42 0 192.168.10.101:20022 192.168.10.1:60956
> >
> > Here, 192.168.10.1 is the intranet gateway interface on the router,
> > which has a dynamic public IP address. And 192.168.10.101 is the
> > intranet host which running sshd to do the ssh remote forwarding.
> Why is your internal system seeing the intranet gateway as the (remote)
> source IP? I would expect it to see the real (remote) client's IP
> address. This hints at a different configuration that I would not use
> unless I had to.

The router OS is OpenWrt for my case. This should be controlled by the following setting:

Loopback source IP
Specifies whether to use the external or the internal IP address for reflected traffic.

> Traditional port forwarding usually shows the real (remote) client's IP
> address, not the intranet gateway's IP address. This makes me think
> that the intranet gateway is SNATing incoming traffic to it's own IP. I
> would not do that unless I had a very specific reason to do so.

In my case, the sshd is running on an intranet host residing on the local subnetwork with the gateway 192.168.10.1, which is one of the interface of the OpenWrt router. And I set the DNAT rule on the router to forward the ssh client request to the sshd daemon process.

Re: There are too many sshd processes has been started on the server triggered by autossh.

<021e9392-7d25-4fcb-9e7b-2d12ae436bfcn@googlegroups.com>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4562&group=comp.unix.shell#4562

copy link Newsgroups: comp.unix.shell

X-Received: by 2002:ad4:5b81:: with SMTP id 1mr20689613qvp.52.1635646414030;
Sat, 30 Oct 2021 19:13:34 -0700 (PDT)
X-Received: by 2002:a05:620a:244b:: with SMTP id h11mr940096qkn.357.1635646413899;
Sat, 30 Oct 2021 19:13:33 -0700 (PDT)
Path: i2pn2.org!i2pn.org!aioe.org!news.uzoreto.com!newsfeed.xs4all.nl!newsfeed9.news.xs4all.nl!feeder1.cambriumusenet.nl!feed.tweak.nl!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.unix.shell
Date: Sat, 30 Oct 2021 19:13:33 -0700 (PDT)
In-Reply-To: <a0eb3a89-5a50-40db-a523-52980c578e4bn@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=143.198.81.115; posting-account=kF0ZaAoAAACPbiK5gldhAyX5qTd3krV2
NNTP-Posting-Host: 143.198.81.115
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<CirgRmSaft2BqciZe@bongo-ra.co> <0c5f0b22-c456-4b13-b906-839bffcf4276n@googlegroups.com>
<92ef0dac-cb3e-4aa8-9fd5-cd27a958fa1bn@googlegroups.com> <c55ab9f8-79b3-4e3d-a029-bb13473b9d9dn@googlegroups.com>
<slkki0$ace$1@tncsrv09.home.tnetconsulting.net> <a0eb3a89-5a50-40db-a523-52980c578e4bn@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <021e9392-7d25-4fcb-9e7b-2d12ae436bfcn@googlegroups.com>
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
From: hongyi.z...@gmail.com (hongy...@gmail.com)
Injection-Date: Sun, 31 Oct 2021 02:13:34 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

by: hongy...@gmail.com - Sun, 31 Oct 2021 02:13 UTC

On Sunday, October 31, 2021 at 9:52:19 AM UTC+8, hongy...@gmail.com wrote:
> On Sunday, October 31, 2021 at 7:24:41 AM UTC+8, Grant Taylor wrote:
> > On 10/29/21 10:45 PM, hongy...@gmail.com wrote:
> > > Basically, when the problem happens, I will see a lot of the following
> > > information:
> > How many is "a lot of"? 10s, 100s, 1,000s? You may be running out
> > available sockets. There are all sorts of tunables around how long
> > stocks stay in CLOSE-WAIT and related states. The idea is turn over the
> > sockets faster.
> > > $ sudo ss --tcp state CLOSE-WAIT '( sport = 20022 or dst 192.168.10..1 )'
> > > Recv-Q Send-Q Local Address:Port Peer Address:Port Process
> > > 42 0 192.168.10.101:20022 192.168.10.1:60930
> > > 42 0 192.168.10.101:20022 192.168.10.1:32776
> > > 42 0 192.168.10.101:20022 192.168.10.1:60956
> > >
> > > Here, 192.168.10.1 is the intranet gateway interface on the router,
> > > which has a dynamic public IP address. And 192.168.10.101 is the
> > > intranet host which running sshd to do the ssh remote forwarding.
> > Why is your internal system seeing the intranet gateway as the (remote)
> > source IP? I would expect it to see the real (remote) client's IP
> > address. This hints at a different configuration that I would not use
> > unless I had to.
> The router OS is OpenWrt for my case. This should be controlled by the following setting:
>
> Loopback source IP
> Specifies whether to use the external or the internal IP address for reflected traffic.

If I use the following setting: Use external IP address, then I will see the following result reported by ss:

$ sudo ss --tcp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 0 192.168.10.101:ssh 60.6.xxx.xxx:40736
ESTAB 0 0 192.168.10.101:ssh 106.9.xxx.xxx:60126

> > Traditional port forwarding usually shows the real (remote) client's IP
> > address, not the intranet gateway's IP address. This makes me think
> > that the intranet gateway is SNATing incoming traffic to it's own IP. I
> > would not do that unless I had a very specific reason to do so.
> In my case, the sshd is running on an intranet host residing on the local subnetwork with the gateway 192.168.10.1, which is one of the interface of the OpenWrt router. And I set the DNAT rule on the router to forward the ssh client request to the sshd daemon process.
>
> HZ

Re: There are too many sshd processes has been started on the server triggered by autossh.

<8863b0a6-60c5-4848-a41f-0c794796247en@googlegroups.com>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4563&group=comp.unix.shell#4563

copy link Newsgroups: comp.unix.shell

X-Received: by 2002:a05:6214:27e1:: with SMTP id jt1mr20880220qvb.62.1635652576719;
Sat, 30 Oct 2021 20:56:16 -0700 (PDT)
X-Received: by 2002:ac8:5c02:: with SMTP id i2mr21825444qti.133.1635652576572;
Sat, 30 Oct 2021 20:56:16 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.unix.shell
Date: Sat, 30 Oct 2021 20:56:16 -0700 (PDT)
In-Reply-To: <slerhm$9pd$1@tncsrv09.home.tnetconsulting.net>
Injection-Info: google-groups.googlegroups.com; posting-host=54.180.135.214; posting-account=kF0ZaAoAAACPbiK5gldhAyX5qTd3krV2
NNTP-Posting-Host: 54.180.135.214
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com> <slerhm$9pd$1@tncsrv09.home.tnetconsulting.net>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <8863b0a6-60c5-4848-a41f-0c794796247en@googlegroups.com>
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
From: hongyi.z...@gmail.com (hongy...@gmail.com)
Injection-Date: Sun, 31 Oct 2021 03:56:16 +0000
Content-Type: text/plain; charset="UTF-8"
Lines: 45

by: hongy...@gmail.com - Sun, 31 Oct 2021 03:56 UTC

Really. This is absolutely not the connection initiated by myself.

> > And this will make SSH forwarding unavailable. Any hints for fixing
> > this problem?
> I'm guessing that you're either tripping a security feature (number of
> total connections, number in a given time, number from a specific
> source, etc.). I don't see how this would actually prevent the (remote)
> port forwarding from working with SSH. This seems like a denial of
> service type issue.

There seems to be a security risk in my OpenWrt firewall. I now set the following traffic rules in `/etc/config/firewall', which seems fixed the problem:

config rule
option src 'wan'
option dest '*'
option target 'DROP'
list src_ip '143.110.224.0/20'
list src_ip '143.198.96.0/20'

Re: There are too many sshd processes has been started on the server triggered by autossh.

<1fda5496-f1a1-41bf-b572-8f55aa75400fn@googlegroups.com>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4564&group=comp.unix.shell#4564

copy link Newsgroups: comp.unix.shell

X-Received: by 2002:a05:622a:1305:: with SMTP id v5mr22374124qtk.62.1635656343617;
Sat, 30 Oct 2021 21:59:03 -0700 (PDT)
X-Received: by 2002:a05:6214:d8b:: with SMTP id e11mr4454011qve.10.1635656343487;
Sat, 30 Oct 2021 21:59:03 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.mixmin.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.unix.shell
Date: Sat, 30 Oct 2021 21:59:03 -0700 (PDT)
In-Reply-To: <8863b0a6-60c5-4848-a41f-0c794796247en@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=54.180.135.214; posting-account=kF0ZaAoAAACPbiK5gldhAyX5qTd3krV2
NNTP-Posting-Host: 54.180.135.214
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<slerhm$9pd$1@tncsrv09.home.tnetconsulting.net> <8863b0a6-60c5-4848-a41f-0c794796247en@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <1fda5496-f1a1-41bf-b572-8f55aa75400fn@googlegroups.com>
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
From: hongyi.z...@gmail.com (hongy...@gmail.com)
Injection-Date: Sun, 31 Oct 2021 04:59:03 +0000
Content-Type: text/plain; charset="UTF-8"

by: hongy...@gmail.com - Sun, 31 Oct 2021 04:59 UTC

On Sunday, October 31, 2021 at 11:56:19 AM UTC+8, hongy...@gmail.com wrote:
> On Friday, October 29, 2021 at 2:47:16 AM UTC+8, Grant Taylor wrote:
> > On 10/28/21 3:20 AM, hongy...@gmail.com wrote:
> > > On client, I run the follownig command to create a ssh based remote
> > > port forwarding proxy:
> > >
> > > $ autossh -M 0 -4 -NT \
> > > -o ServerAliveInterval=30 \
> > > -o "ServerAliveCountMax=3" \
> > > -o "ExitOnForwardFailure=yes" \
> > > -o StrictHostKeyChecking=no \
> > > -R 21080:localhost:1080 \
> > > -R 20022:localhost:22 \
> > > wer...@my.remote.server -p 2101
> > >
> > > Then on the server side, I observed there are too many sshd processes
> > > has been started:
> > As Spiros pointed out, they are all the same sshd process; 196794.
> > > werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022
> > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> > If I've tracked the topology correctly, those all look like
> > 143.198.101.180 connected to port 20022 on the remote server which is
> > forwarded through SSH to port 22 on the client.
> >
> > This seems like an SSH attack from 143.198.101.180 to me. Maybe
> > password guessing / brute forcing.
> Really. This is absolutely not the connection initiated by myself.
> > > And this will make SSH forwarding unavailable. Any hints for fixing
> > > this problem?
> > I'm guessing that you're either tripping a security feature (number of
> > total connections, number in a given time, number from a specific
> > source, etc.). I don't see how this would actually prevent the (remote)
> > port forwarding from working with SSH. This seems like a denial of
> > service type issue.
> There seems to be a security risk in my OpenWrt firewall. I now set the following traffic rules in `/etc/config/firewall', which seems fixed the problem:
>
> config rule
> option src 'wan'
> option dest '*'
> option target 'DROP'
> list src_ip '143.110.224.0/20'
> list src_ip '143.198.96.0/20'

I have changed to the better method below:

config redirect
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport '20022'
option dest 'lan'
option dest_ip '192.168.10.101'
option dest_port '20022'
option name 'autossh-remote-forward-ssh-pve-ubuntu'
option reflection_src 'external'
option src_dip '106.9.xxx.xxx'
option src_ip '60.0.0.0/13'

The CIDR address ranges used above is obtained from https://ipinfo.io/

Re: There are too many sshd processes has been started on the server triggered by autossh.

<a6b2da98-d765-4038-98f0-f81c0ade025fn@googlegroups.com>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4565&group=comp.unix.shell#4565

copy link Newsgroups: comp.unix.shell

X-Received: by 2002:ad4:576a:: with SMTP id r10mr6947899qvx.5.1635669752541;
Sun, 31 Oct 2021 01:42:32 -0700 (PDT)
X-Received: by 2002:a05:620a:44d1:: with SMTP id y17mr18029483qkp.235.1635669752378;
Sun, 31 Oct 2021 01:42:32 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!border1.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.unix.shell
Date: Sun, 31 Oct 2021 01:42:32 -0700 (PDT)
In-Reply-To: <9cded768-2175-4d01-9955-30e8a437c929n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=128.199.172.34; posting-account=kF0ZaAoAAACPbiK5gldhAyX5qTd3krV2
NNTP-Posting-Host: 128.199.172.34
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<slerhm$9pd$1@tncsrv09.home.tnetconsulting.net> <74e55f7d-976e-493d-bc56-aa9de260117en@googlegroups.com>
<d6f0e1b9-60be-49d5-a2db-96d22b0bf84fn@googlegroups.com> <9cded768-2175-4d01-9955-30e8a437c929n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <a6b2da98-d765-4038-98f0-f81c0ade025fn@googlegroups.com>
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
From: hongyi.z...@gmail.com (hongy...@gmail.com)
Injection-Date: Sun, 31 Oct 2021 08:42:32 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 71

by: hongy...@gmail.com - Sun, 31 Oct 2021 08:42 UTC

On Saturday, October 30, 2021 at 5:16:42 PM UTC+8, hongy...@gmail.com wrote:
> On Saturday, October 30, 2021 at 1:38:55 PM UTC+8, hongy...@gmail.com wrote:
> > On Friday, October 29, 2021 at 9:34:21 AM UTC+8, hongy...@gmail.com wrote:
> > > On Friday, October 29, 2021 at 2:47:16 AM UTC+8, Grant Taylor wrote:
> > > > On 10/28/21 3:20 AM, hongy...@gmail.com wrote:
> > > > > On client, I run the follownig command to create a ssh based remote
> > > > > port forwarding proxy:
> > > > >
> > > > > $ autossh -M 0 -4 -NT \
> > > > > -o ServerAliveInterval=30 \
> > > > > -o "ServerAliveCountMax=3" \
> > > > > -o "ExitOnForwardFailure=yes" \
> > > > > -o StrictHostKeyChecking=no \
> > > > > -R 21080:localhost:1080 \
> > > > > -R 20022:localhost:22 \
> > > > > wer...@my.remote.server -p 2101
> > > > >
> > > > > Then on the server side, I observed there are too many sshd processes
> > > > > has been started:
> > > > As Spiros pointed out, they are all the same sshd process; 196794.
> > > > > werner@Standard-PC-i440FX-PIIX-1996:~$ sudo lsof -i :20022
> > > > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> > > > If I've tracked the topology correctly, those all look like
> > > > 143.198.101.180 connected to port 20022 on the remote server which is
> > > > forwarded through SSH to port 22 on the client.
> > > >
> > > > This seems like an SSH attack from 143.198.101.180 to me. Maybe
> > > > password guessing / brute forcing.
> > > > > And this will make SSH forwarding unavailable. Any hints for fixing
> > > > > this problem?
> > > > I'm guessing that you're either tripping a security feature (number of
> > > > total connections, number in a given time, number from a specific
> > > > source, etc.). I don't see how this would actually prevent the (remote)
> > > > port forwarding from working with SSH. This seems like a denial of
> > > > service type issue.
> > > Thank you for your in-depth analysis. Basically, my goal is to achieve intranet penetration without public IP. It seems that the ssh remote port forwarding method discussed here is not carefully designed for this purpose. So, maybe I should switch to zerotier-one [1].
> > >
> > > [1] https://github.com/zerotier/ZeroTierOne
> > I find another wonderful website which collected and organized most of the open-source tools on this topic:
> >
> > https://book.hacktricks.xyz/tunneling-and-port-forwarding
> The author's GitHub repository is here:
>
> https://github.com/carlospolop/hacktricks.git

Here is another similar wonderful GitHub repository:

https://github.com/anderspitman/awesome-tunneling

> > I'm currently studying the following tools mentioned by the above website:
> >
> > https://github.com/jpillora/chisel
> > https://github.com/sshuttle/sshuttle

Re: There are too many sshd processes has been started on the server triggered by autossh.

<slmo69$jfi$1@tncsrv09.home.tnetconsulting.net>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4566&group=comp.unix.shell#4566

copy link Newsgroups: comp.unix.shell

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.unix.shell
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
Date: Sun, 31 Oct 2021 12:38:51 -0600
Organization: TNet Consulting
Message-ID: <slmo69$jfi$1@tncsrv09.home.tnetconsulting.net>
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<slerhm$9pd$1@tncsrv09.home.tnetconsulting.net>
<8863b0a6-60c5-4848-a41f-0c794796247en@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 31 Oct 2021 18:44:25 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="19954"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <8863b0a6-60c5-4848-a41f-0c794796247en@googlegroups.com>
Content-Language: en-US

by: Grant Taylor - Sun, 31 Oct 2021 18:38 UTC

On 10/30/21 9:56 PM, hongy...@gmail.com wrote:
> Really. This is absolutely not the connection initiated by myself.

I assumed that it wasn't you initiating the connection(s).

But based on the output of netstat / ss, that's what the connection
looks like. I assume that is a false appearance based on a ... sub-par
configuration somewhere.

--
Grant. . . .
unix || die

Re: There are too many sshd processes has been started on the server triggered by autossh.

<slmoag$jfi$2@tncsrv09.home.tnetconsulting.net>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4567&group=comp.unix.shell#4567

copy link Newsgroups: comp.unix.shell

Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.unix.shell
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
Date: Sun, 31 Oct 2021 12:41:05 -0600
Organization: TNet Consulting
Message-ID: <slmoag$jfi$2@tncsrv09.home.tnetconsulting.net>
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<CirgRmSaft2BqciZe@bongo-ra.co>
<0c5f0b22-c456-4b13-b906-839bffcf4276n@googlegroups.com>
<92ef0dac-cb3e-4aa8-9fd5-cd27a958fa1bn@googlegroups.com>
<c55ab9f8-79b3-4e3d-a029-bb13473b9d9dn@googlegroups.com>
<slkki0$ace$1@tncsrv09.home.tnetconsulting.net>
<a0eb3a89-5a50-40db-a523-52980c578e4bn@googlegroups.com>
<021e9392-7d25-4fcb-9e7b-2d12ae436bfcn@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 31 Oct 2021 18:46:40 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="19954"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <021e9392-7d25-4fcb-9e7b-2d12ae436bfcn@googlegroups.com>
Content-Language: en-US

by: Grant Taylor - Sun, 31 Oct 2021 18:41 UTC

On 10/30/21 8:13 PM, hongy...@gmail.com wrote:
> If I use the following setting: Use external IP address, then I will
> see the following result reported by ss:

It seems as if you have found and corrected what I was describing as a
sub-par configuration.

> $ sudo ss --tcp
> State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
> ESTAB 0 0 192.168.10.101:ssh 60.6.xxx.xxx:40736
> ESTAB 0 0 192.168.10.101:ssh 106.9.xxx.xxx:60126

That is exactly the type of output that I would expect.

I wonder if you will have any connection issues now. -- My thought is
that there was a security setting somewhere that you were tickling
related to the maximum number of connections from a singular IP. Now
the connections will appear to be from their real IP, not your gateway's IP.

--
Grant. . . .
unix || die

Re: There are too many sshd processes has been started on the server triggered by autossh.

<220ca394-1778-4fa7-ad6a-106bcb38f50an@googlegroups.com>

copy mid

https://www.novabbs.com/devel/article-flat.php?id=4568&group=comp.unix.shell#4568

copy link Newsgroups: comp.unix.shell

X-Received: by 2002:a37:9544:: with SMTP id x65mr21140356qkd.275.1635733323939;
Sun, 31 Oct 2021 19:22:03 -0700 (PDT)
X-Received: by 2002:a05:622a:104b:: with SMTP id f11mr7413578qte.197.1635733323781;
Sun, 31 Oct 2021 19:22:03 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.unix.shell
Date: Sun, 31 Oct 2021 19:22:03 -0700 (PDT)
In-Reply-To: <slmoag$jfi$2@tncsrv09.home.tnetconsulting.net>
Injection-Info: google-groups.googlegroups.com; posting-host=143.198.81.115; posting-account=kF0ZaAoAAACPbiK5gldhAyX5qTd3krV2
NNTP-Posting-Host: 143.198.81.115
References: <de7537f1-14fa-4384-8925-dfe1619f53d3n@googlegroups.com>
<CirgRmSaft2BqciZe@bongo-ra.co> <0c5f0b22-c456-4b13-b906-839bffcf4276n@googlegroups.com>
<92ef0dac-cb3e-4aa8-9fd5-cd27a958fa1bn@googlegroups.com> <c55ab9f8-79b3-4e3d-a029-bb13473b9d9dn@googlegroups.com>
<slkki0$ace$1@tncsrv09.home.tnetconsulting.net> <a0eb3a89-5a50-40db-a523-52980c578e4bn@googlegroups.com>
<021e9392-7d25-4fcb-9e7b-2d12ae436bfcn@googlegroups.com> <slmoag$jfi$2@tncsrv09.home.tnetconsulting.net>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <220ca394-1778-4fa7-ad6a-106bcb38f50an@googlegroups.com>
Subject: Re: There are too many sshd processes has been started on the server
triggered by autossh.
From: hongyi.z...@gmail.com (hongy...@gmail.com)
Injection-Date: Mon, 01 Nov 2021 02:22:03 +0000
Content-Type: text/plain; charset="UTF-8"
Lines: 22

by: hongy...@gmail.com - Mon, 1 Nov 2021 02:22 UTC

On Monday, November 1, 2021 at 2:41:10 AM UTC+8, Grant Taylor wrote:
> On 10/30/21 8:13 PM, hongy...@gmail.com wrote:
> > If I use the following setting: Use external IP address, then I will
> > see the following result reported by ss:
> It seems as if you have found and corrected what I was describing as a
> sub-par configuration.
> > $ sudo ss --tcp
> > State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
> > ESTAB 0 0 192.168.10.101:ssh 60.6.xxx.xxx:40736
> > ESTAB 0 0 192.168.10.101:ssh 106.9.xxx.xxx:60126
> That is exactly the type of output that I would expect.
>
> I wonder if you will have any connection issues now. -- My thought is
> that there was a security setting somewhere that you were tickling
> related to the maximum number of connections from a singular IP. Now
> the connections will appear to be from their real IP, not your gateway's IP.

Do you mean something like the following?

root@OpenWrt:~# sysctl net.nf_conntrack_max
net.nf_conntrack_max = 16384

Pages:12

server_pubkey.txt

rocksolid light 0.9.8
clearnet tor