Admin Notes for SSH Service

Available servers

We provide two SSH servers:

Accessible by all DICE users. This is currently on bruegel. See external-access-server-student.h for details.
Accessible by anyone in the login/staffssh/remote netgroup, that includes all staff, visitors and research postgraduate students. This is currently on hare. See external-access-server-staff.h for details.

If a machine dies then the expectation is that a new machine will be installed and the DNS CNAMEs moved as required. If the staff server dies then clearly all users can be directed to use the other server during the period of downtime. If the general server dies then ideally you just quickly install another one (it really doesn't take much time) but if that cannot be done then the LCFG profile for the staff server could be reconfigured. In that case, afterwards when resetting the staff server config you probably want to at least reboot to force all non-staff users to reconnect to the correct server.

There is also a test server - rabbit - which can be used to try out any changes before applying them to the live service.


These services do not require much in the way of computing power or disk space so we typically put them on old hardware which has previously been used for something else. This means they may be quite old but we've not found that to be a cause of excessive failures.

As these machines are obvious candidates for remote attacks we aim to keep them on real hardware so that any successful intrusion could not jump from the VM to the host.

To ensure users do not accidentally cause a DoS attack on a machine we strictly limit the amount of memory and the number of processes. Occasionally users hit these limits and complain but it's most likely they should have been doing the work somewhere else...

login issues, e.g. Connection reset by peer error

This could mean many things, such as the account being disabled due to inactivity, so check prometheus-get-info flags first. If the account is valid, they may be entering their UUN incorrectly - uppercase S in a matric will not work. To check the login attempts on the ssh server (remember do not ksu on this server, only on your own machine before connecting) look for part of UUN,

e.g. grep 123456  /var/log/auth.log

you should be able to spot errors such as PAM: Authentication error, invalid user, illegal user


We run fail2ban to monitor the authentication logs and apply bans when there are too many login failures for accounts. Occasionally this causes problems for users who are using the wrong password. To unban an IP address for someone do the following (e.g. IP address is

fail2ban-client set sshtcpwrap unbanip

You can verify this had the desired effect by checking the contents of /etc/hosts.deny

the smtp.inf server also runs fail2ban, logs can be checked in /var/lcfg/log/fail2ban

-- StephenQuinney - 21 Jan 2019

This topic: DICE > WebHome > ManagedPlatformUnit > SSHService
Topic revision: r4 - 07 Jun 2021 - 09:36:48 - AdamKirylczuk
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies