RE: sshd down randomly, back up after ~10 mins?

You probably don't need the "keep frags" part of the rule for this
application. Weird problem.


-----Original Message-----
From: owner-ipfilter@coombs.anu.edu.au
[mailto:owner-ipfilter@coombs.anu.edu.au] On Behalf Of Amadeus Stevenson
Sent: Saturday, July 09, 2005 5:38 PM
To: NetBSD Users
Cc: ipfilter@coombs.anu.edu.au
Subject: sshd down randomly, back up after ~10 mins?

Hello,

Apologies if incorrect place to post (netbsd-help?).

I have sshd running on

NetBSD GATEWAY 2.0 NetBSD 2.0 (RALTQ) #0: Sun Feb 6 22:27:10 GMT 2005
amadeus@GATEWAY:/usr/src/sys/arch/i386/compile/RALTQ i386

with ipf rule

pass in quick on rtk0 proto tcp from any to rtk0/32 port = 22 flags S
keep state keep frags

Every once in a while, in a way which I can't reproduce my ssh
sessions lock-up and I am then disconnected. I cannot reconnect via
sshd. However httpd continues to function "normally".

If I nmap the machine remotely it shows the sshd port as "filtered"
ie. the sshd is not responding. Normally it is "open". httpd is open
at all times.

I changed LogLevel DEBUG in sshd_config and the following corresponds
in authlog:

Jul 9 22:12:06 GATEWAY sshd[27212]: Read error from remote host
my.ip.address: Connection timed out

Otherwise there are no entries in /var/log/messages or /var/authlog.

The pid remains the same before and after this happens, so sshd is not
restarted.

ssh comes alive again after ~5/10 minutes.

Does anyone know why this would happen?

Or better still: how can I debug more?

I have a default-block-all on the machine, but ipmon doesn't show any
blocked packets when I regain access and check.

Any ideas would be appreciated.

This didn't always seem to happen...

Amadeus