Need multiple tries to SSH and SFTP

g6260

Registered
Dec 26, 2014
2
0
1
cPanel Access Level
Root Administrator
For some reason, my cPanel server always requires me to SSH or SFTP multiple tries in order to successfully log in.

Typically it takes me spamming the ssh login command 5-6 times. After I'm logged in, the SSH connection is perfectly stable.

The same occurs when I use Filezilla with SFTP to interact with the FTP server. When logging in, the connection is refused multiple times, but after a couple tries I get through.

I have tried logging in from various networks, all with the same problem.

Whitelisting my IP on the csf firewall does not help.

Below is the verbose output of the SSH login command I use:

$ ssh linode -v
OpenSSH_7.3p1, OpenSSL 1.0.2j 26 Sep 2016
debug1: Reading configuration data /c/Users/Galen/.ssh/config
debug1: /c/Users/Galen/.ssh/config line 1: Applying options for **
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to ** [**.**.**.**] port 22.
debug1: Connection established.
debug1: identity file /c/Users/Galen/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Galen/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Galen/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Galen/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Galen/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Galen/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Galen/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/Galen/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3
ssh_exchange_identification: Connection closed by remote host

Does anyone have an idea what's causing this? Any suggestions are greatly appreciated.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Hello,

Do you notice any output to /var/log/secure when the initial attempts fail?

Thank you.
 

g6260

Registered
Dec 26, 2014
2
0
1
cPanel Access Level
Root Administrator
Thank you for your reply, Michael.

I've been tailing /var/log/secure while attempting to log in.

Only the successful logins appear in the log.

Dec 20 20:25:47 server-1 sshd[10404]: Accepted publickey for root from **.**.**.** port 56039 ssh2
Dec 20 20:25:47 server-1 sshd[10404]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 20 20:28:12 server-1 sshd[12139]: Received disconnect from **.**.**.**: 11: disconnected by user
Dec 20 20:28:12 server-1 sshd[12139]: pam_unix(sshd:session): session closed for user root

If the connection is closed by the remote host, there is no output to the log at all.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Hello,

Could you open a support ticket using the link in my signature so we can take a closer look?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Whitelisting my IP on the csf firewall does not help.
Hello,

To update, per the support ticket, it looks as though the culprit was the CSF firewall application:

When this typically occurs, it seems that CSF is the culprit. SSH is unwilling to start a new authentication process due to too many authentication processes already running. A server having enough SSH startup processes to cause this issue likely has a 3rd party firewall application which is adding outgoing "DROP" rules for IPs detected as brute forcing. Since this firewall rule doesn't result in an error packet being sent back to the process in question, it remains running indefinitely.
Additionally, you may want to consider moving SSH to an alternate port to help prevent brute force attacks. We provide a thread to help with this at:

[Tutorial] Interested in increasing the security of your server? Read this. (sshd hardening)

Thank you.