[opensuse] Slow SSH, well sort of...
I'm on (any SuSE) a local machine, accessing a particular remote machine running SuSE11.0 using SSH all plain vanilla. From my local machine to others out there, things are fast as expected. To the troubled machine (openSuSE11) things are slow this way: I takes a looooooooooong time to log in. Once in, anything typed echoes back as expected, for example "l" to get a directory listing. But - the listing itself takes 10 - 15 seconds to emerge. If I open two ssh shells to the troubled machine and keep an eye on the live log (using tail -f /var/log/messages), I see nothing wrong. I see, however, that the log entry for someone logging in emerges imediately, but the actual prompt (in my second ssh shell) does appear only after like 10 seconds after the line in the log is seen. I do see one line in the log though..it says: "Did not receive identification string from (my IP)" I read somewhere that this is caused "by the host not running ident.d" (??) Anyone knows anything? As always, all help is appreciated. -- ------------------------------ Med venlig hilsen/Best regards Verner Kjærsgaard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2009-01-10 at 17:20 +0100, Verner Kjærsgaard wrote:
From my local machine to others out there, things are fast as expected.
To the troubled machine (openSuSE11) things are slow this way:
One thing you should verify is the quality of the network connection to that machine. Maybe it is bad and requires many retransmissions. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAklozYQACgkQtTMYHG2NR9XLoACfc9tgzXdVK4demlVr1pjw5x8l 3XIAn2oYvzkieuz0kX9CEeLZyiJUeZFi =+Yll -----END PGP SIGNATURE-----
On Sat, Jan 10, 2009 at 05:20:01PM +0100, Verner Kjærsgaard wrote:
I'm on (any SuSE) a local machine, accessing a particular remote machine running SuSE11.0 using SSH all plain vanilla.
From my local machine to others out there, things are fast as expected.
To the troubled machine (openSuSE11) things are slow this way:
I takes a looooooooooong time to log in. Once in, anything typed echoes back as expected, for example "l" to get a directory listing. But - the listing itself takes 10 - 15 seconds to emerge.
If I open two ssh shells to the troubled machine and keep an eye on the live log (using tail -f /var/log/messages), I see nothing wrong. I see, however, that the log entry for someone logging in emerges imediately, but the actual prompt (in my second ssh shell) does appear only after like 10 seconds after the line in the log is seen.
I do see one line in the log though..it says:
"Did not receive identification string from (my IP)"
I read somewhere that this is caused "by the host not running ident.d" (??) Anyone knows anything?
Does ssh -v troubled.machine (or ssh -vv or even ssh -vvv) show anything interesting ? -- Best regards / s pozdravem Petr Uzel, Packages maintainer --------------------------------------------------------------------- SUSE LINUX, s.r.o. e-mail: puzel@suse.cz Lihovarská 1060/12 tel: +420 284 028 964 190 00 Prague 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Petr Uzel skrev:
On Sat, Jan 10, 2009 at 05:20:01PM +0100, Verner Kjærsgaard wrote:
I'm on (any SuSE) a local machine, accessing a particular remote machine running SuSE11.0 using SSH all plain vanilla.
From my local machine to others out there, things are fast as expected.
To the troubled machine (openSuSE11) things are slow this way:
I takes a looooooooooong time to log in. Once in, anything typed echoes back as expected, for example "l" to get a directory listing. But - the listing itself takes 10 - 15 seconds to emerge.
If I open two ssh shells to the troubled machine and keep an eye on the live log (using tail -f /var/log/messages), I see nothing wrong. I see, however, that the log entry for someone logging in emerges imediately, but the actual prompt (in my second ssh shell) does appear only after like 10 seconds after the line in the log is seen.
I do see one line in the log though..it says:
"Did not receive identification string from (my IP)"
I read somewhere that this is caused "by the host not running ident.d" (??) Anyone knows anything?
Does ssh -v troubled.machine (or ssh -vv or even ssh -vvv) show anything interesting ?
I'll try those out, good point. Why didn't I think of it myself. Sorry..and thank you for your answer! -- ------------------------------ Med venlig hilsen/Best regards Verner Kjærsgaard Open Source Academy +45 56964223 Novell Certified Linux Professional 10035701 ------------------------------ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi! Am Samstag 10 Januar 2009 schrieb Verner Kjærsgaard:
I takes a looooooooooong time to log in. Once in, anything typed echoes back as expected, for example "l" to get a directory listing. But - the listing itself takes 10 - 15 seconds to emerge.
Is the server publically reachable? In my experience having SSH reachable via port 22 can make the server pretty much stall due to the massive amount of login attempts carried out by drones. Regards, Matthias -- Matthias Bach www.marix.org „Der einzige Weg, die Grenzen des Möglichen zu finden, ist ein klein wenig über diese hinaus in das Unmögliche vorzustoßen.“ - Arthur C. Clarke
Matthias Bach skrev:
Hi!
Am Samstag 10 Januar 2009 schrieb Verner Kjærsgaard:
I takes a looooooooooong time to log in. Once in, anything typed echoes back as expected, for example "l" to get a directory listing. But - the listing itself takes 10 - 15 seconds to emerge.
Is the server publically reachable? In my experience having SSH reachable via port 22 can make the server pretty much stall due to the massive amount of login attempts carried out by drones.
Regards, Matthias
- thank you for your answer. - I see no (not yet anyhow...) the usual attacks in the logs. When they start coming, I'll install denyhosts :-) -- ------------------------------ Med venlig hilsen/Best regards Verner Kjærsgaard Open Source Academy +45 56964223 Novell Certified Linux Professional 10035701 ------------------------------ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Matthias Bach wrote:
Hi!
Am Samstag 10 Januar 2009 schrieb Verner Kjærsgaard:
I takes a looooooooooong time to log in. Once in, anything typed echoes back as expected, for example "l" to get a directory listing. But - the listing itself takes 10 - 15 seconds to emerge.
Is the server publically reachable? In my experience having SSH reachable via port 22 can make the server pretty much stall due to the massive amount of login attempts carried out by drones.
Regards, Matthias
That is why I STRONGLY suggest moving ssh to a high port in the 5000 to 7000 range. There will be zero script kiddie login attempts from APNIC. The process is simple: (1) look at /etc/services and find an _open_ port where ever you want to move ssh to; (2) edit /etc/ssh/sshd_config and uncomment the port option and change the port number: Port 8687 (3) to make the port change transparent to your users just specify the port change in the system-wide config file '/etc/ssh/ssh_config' or if you only want some users to have ssh access, then specify the change in the per user config file '~/.ssh/config'. (see man ssh) The format is simply 'Host' and 'Port' on separate lines like: 17:25 ecstasy:~> cat .ssh/config # ## 3111skyline.com # Host alchemy.3111skyline.com alchemy Port 22 Host arete.3111skyline.com arete Port 22 Host ecstasy.3111skyline.com ecstasy Port 8687 Everything that uses ssh ( like fish://, scp, rsync, etc. ) will automatically use the new port if you create the config file. As above, you need to specify those hosts that are still on port 22 as well. Otherwise, the box will default to trying ssh connections on its new default high port. Now your annoying little login attempts that fill up your log files are a thing of the past ;-) -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin skrev:
Matthias Bach wrote:
Hi!
I takes a looooooooooong time to log in. Once in, anything typed echoes back as expected, for example "l" to get a directory listing. But - the listing itself takes 10 - 15 seconds to emerge. Is the server publically reachable? In my experience having SSH reachable via
Am Samstag 10 Januar 2009 schrieb Verner Kjærsgaard: port 22 can make the server pretty much stall due to the massive amount of login attempts carried out by drones.
Regards, Matthias
That is why I STRONGLY suggest moving ssh to a high port in the 5000 to 7000 range. There will be zero script kiddie login attempts from APNIC.
The process is simple:
(1) look at /etc/services and find an _open_ port where ever you want to move ssh to;
(2) edit /etc/ssh/sshd_config and uncomment the port option and change the port number:
Port 8687
(3) to make the port change transparent to your users just specify the port change in the system-wide config file '/etc/ssh/ssh_config' or if you only want some users to have ssh access, then specify the change in the per user config file '~/.ssh/config'. (see man ssh) The format is simply 'Host' and 'Port' on separate lines like:
17:25 ecstasy:~> cat .ssh/config # ## 3111skyline.com # Host alchemy.3111skyline.com alchemy Port 22 Host arete.3111skyline.com arete Port 22 Host ecstasy.3111skyline.com ecstasy Port 8687
Everything that uses ssh ( like fish://, scp, rsync, etc. ) will automatically use the new port if you create the config file. As above, you need to specify those hosts that are still on port 22 as well. Otherwise, the box will default to trying ssh connections on its new default high port.
Now your annoying little login attempts that fill up your log files are a thing of the past ;-)
- thanks. Taken into serious consideration. - and written into my knowledge base :-) -- ------------------------------ Med venlig hilsen/Best regards Verner Kjærsgaard Open Source Academy +45 56964223 Novell Certified Linux Professional 10035701 ------------------------------ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday 10 January 2009 23:30:21 David C. Rankin wrote:
Matthias Bach wrote:
Hi!
Am Samstag 10 Januar 2009 schrieb Verner Kjærsgaard:
I takes a looooooooooong time to log in. Once in, anything typed echoes back as expected, for example "l" to get a directory listing. But - the listing itself takes 10 - 15 seconds to emerge.
Is the server publically reachable? In my experience having SSH reachable via port 22 can make the server pretty much stall due to the massive amount of login attempts carried out by drones.
Regards, Matthias
That is why I STRONGLY suggest moving ssh to a high port in the 5000 to 7000 range. There will be zero script kiddie login attempts from APNIC.
The process is simple:
(1) look at /etc/services and find an _open_ port where ever you want to move ssh to;
(2) edit /etc/ssh/sshd_config and uncomment the port option and change the port number:
Port 8687
(3) to make the port change transparent to your users just specify the port change in the system-wide config file '/etc/ssh/ssh_config' or if you only want some users to have ssh access, then specify the change in the per user config file '~/.ssh/config'. (see man ssh) The format is simply 'Host' and 'Port' on separate lines like:
17:25 ecstasy:~> cat .ssh/config # ## 3111skyline.com # Host alchemy.3111skyline.com alchemy Port 22 Host arete.3111skyline.com arete Port 22 Host ecstasy.3111skyline.com ecstasy Port 8687
Everything that uses ssh ( like fish://, scp, rsync, etc. ) will automatically use the new port if you create the config file. As above, you need to specify those hosts that are still on port 22 as well. Otherwise, the box will default to trying ssh connections on its new default high port.
Now your annoying little login attempts that fill up your log files are a thing of the past ;-)
I know you've mentioned this before, David, but I probably wasn't paying enough attention. If I put similar lines to the above into my '/etc/ssh/ssh_config' file, then a remote user who has his public key in an 'authorized_keys' file here, who does a simple ssh to my_WLAN_IP, will get through without having to do 'ssh -p 8687 my_WLAN_IP'? Have I got this right? YaB (Yet Another Bob) -- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.1, Kernel 2.6.27.7-9-default, KDE 3.5.10 Intel Core2 Quad Q9400 2.66GHz, 4GB DDR RAM, nVidia GeForce 9200GS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Bob Williams wrote:
On Saturday 10 January 2009 23:30:21 David C. Rankin wrote:
Matthias Bach wrote:
Hi!
I takes a looooooooooong time to log in. Once in, anything typed echoes back as expected, for example "l" to get a directory listing. But - the listing itself takes 10 - 15 seconds to emerge. Is the server publically reachable? In my experience having SSH reachable via port 22 can make the server pretty much stall due to
Am Samstag 10 Januar 2009 schrieb Verner Kjærsgaard: the massive amount of login attempts carried out by drones.
Regards, Matthias That is why I STRONGLY suggest moving ssh to a high port in the 5000 to 7000 range. There will be zero script kiddie login attempts from APNIC.
The process is simple:
(1) look at /etc/services and find an _open_ port where ever you want to move ssh to;
(2) edit /etc/ssh/sshd_config and uncomment the port option and change the port number:
Port 8687
(3) to make the port change transparent to your users just specify the port change in the system-wide config file '/etc/ssh/ssh_config' or if you only want some users to have ssh access, then specify the change in the per user config file '~/.ssh/config'. (see man ssh) The format is simply 'Host' and 'Port' on separate lines like:
17:25 ecstasy:~> cat .ssh/config # ## 3111skyline.com # Host alchemy.3111skyline.com alchemy Port 22 Host arete.3111skyline.com arete Port 22 Host ecstasy.3111skyline.com ecstasy Port 8687
Everything that uses ssh ( like fish://, scp, rsync, etc. ) will automatically use the new port if you create the config file. As above, you need to specify those hosts that are still on port 22 as well. Otherwise, the box will default to trying ssh connections on its new default high port.
Now your annoying little login attempts that fill up your log files are a thing of the past ;-)
I know you've mentioned this before, David, but I probably wasn't paying enough attention.
If I put similar lines to the above into my '/etc/ssh/ssh_config' file, then a remote user who has his public key in an 'authorized_keys' file here, who does a simple ssh to my_WLAN_IP, will get through without having to do 'ssh -p 8687 my_WLAN_IP'?
Have I got this right?
YaB (Yet Another Bob)
No, The other user will have to have his own .ssh/config file with: Host bobsbox.bobsdomain.com bobsbox Port 8687 in it in order to connect to your machine without having to add the -p 8687 option. For each user machine you can also set the global file /etc/ssh/ssh_config with a list of the Host/Port combinations rather than doing it on a per user basis. The SSH_CONFIG(5) man page is reasonable in explaining the user/global setting. Sorry for the late reply, I'm a bit behind... -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Verner Kjærsgaard wrote:
I'm on (any SuSE) a local machine, accessing a particular remote machine running SuSE11.0 using SSH all plain vanilla.
From my local machine to others out there, things are fast as expected.
To the troubled machine (openSuSE11) things are slow this way:
I takes a looooooooooong time to log in. Once in, anything typed echoes back as expected, for example "l" to get a directory listing. But - the listing itself takes 10 - 15 seconds to emerge.
If I open two ssh shells to the troubled machine and keep an eye on the live log (using tail -f /var/log/messages), I see nothing wrong. I see, however, that the log entry for someone logging in emerges imediately, but the actual prompt (in my second ssh shell) does appear only after like 10 seconds after the line in the log is seen.
I do see one line in the log though..it says:
"Did not receive identification string from (my IP)"
I've seen trouble like that when your ip doesn't have a (reverse) dns record. The delay is the dns query timeout on the remote server. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic skrev:
Verner Kjærsgaard wrote:
I'm on (any SuSE) a local machine, accessing a particular remote machine running SuSE11.0 using SSH all plain vanilla.
From my local machine to others out there, things are fast as expected.
To the troubled machine (openSuSE11) things are slow this way:
I takes a looooooooooong time to log in. Once in, anything typed echoes back as expected, for example "l" to get a directory listing. But - the listing itself takes 10 - 15 seconds to emerge.
If I open two ssh shells to the troubled machine and keep an eye on the live log (using tail -f /var/log/messages), I see nothing wrong. I see, however, that the log entry for someone logging in emerges imediately, but the actual prompt (in my second ssh shell) does appear only after like 10 seconds after the line in the log is seen.
I do see one line in the log though..it says:
"Did not receive identification string from (my IP)"
I've seen trouble like that when your ip doesn't have a (reverse) dns record. The delay is the dns query timeout on the remote server.
BINGO! I'm absolutely sure that's it. Now how does one circumvent that...could I just enter my outgoing IP into the remote machines /etc/hosts and hope for the best? -- ------------------------------ Med venlig hilsen/Best regards Verner Kjærsgaard Open Source Academy +45 56964223 Novell Certified Linux Professional 10035701 ------------------------------ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Verner Kjærsgaard skrev:
Sandy Drobic skrev:
Verner Kjærsgaard wrote:
I'm on (any SuSE) a local machine, accessing a particular remote machine running SuSE11.0 using SSH all plain vanilla.
From my local machine to others out there, things are fast as expected.
To the troubled machine (openSuSE11) things are slow this way:
I takes a looooooooooong time to log in. Once in, anything typed echoes back as expected, for example "l" to get a directory listing. But - the listing itself takes 10 - 15 seconds to emerge.
If I open two ssh shells to the troubled machine and keep an eye on the live log (using tail -f /var/log/messages), I see nothing wrong. I see, however, that the log entry for someone logging in emerges imediately, but the actual prompt (in my second ssh shell) does appear only after like 10 seconds after the line in the log is seen.
I do see one line in the log though..it says:
"Did not receive identification string from (my IP)"
I've seen trouble like that when your ip doesn't have a (reverse) dns record. The delay is the dns query timeout on the remote server.
BINGO!
I'm absolutely sure that's it. Now how does one circumvent that...could I just enter my outgoing IP into the remote machines /etc/hosts and hope for the best?
eh...thinking...it cannot be an SSH issue...hear this... you see, after the SSH connection is established, the answers from the remote machine are still very slow. For example, I hit "l" (list dir) which is echoed immidiately back to me. But the list itself takes about 10 seconds to emerge. hmmmmm...any thoughts on this? -- ------------------------------ Med venlig hilsen/Best regards Verner Kjærsgaard Open Source Academy +45 56964223 Novell Certified Linux Professional 10035701 ------------------------------ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Verner Kjærsgaard skrev:
Verner Kjærsgaard skrev:
Sandy Drobic skrev:
Verner Kjærsgaard wrote:
I'm on (any SuSE) a local machine, accessing a particular remote machine running SuSE11.0 using SSH all plain vanilla.
From my local machine to others out there, things are fast as expected.
To the troubled machine (openSuSE11) things are slow this way:
I takes a looooooooooong time to log in. Once in, anything typed echoes back as expected, for example "l" to get a directory listing. But - the listing itself takes 10 - 15 seconds to emerge.
If I open two ssh shells to the troubled machine and keep an eye on the live log (using tail -f /var/log/messages), I see nothing wrong. I see, however, that the log entry for someone logging in emerges imediately, but the actual prompt (in my second ssh shell) does appear only after like 10 seconds after the line in the log is seen.
I do see one line in the log though..it says:
"Did not receive identification string from (my IP)"
I've seen trouble like that when your ip doesn't have a (reverse) dns record. The delay is the dns query timeout on the remote server.
BINGO!
I'm absolutely sure that's it. Now how does one circumvent that...could I just enter my outgoing IP into the remote machines /etc/hosts and hope for the best?
eh...thinking...it cannot be an SSH issue...hear this...
you see, after the SSH connection is established, the answers from the remote machine are still very slow. For example, I hit "l" (list dir) which is echoed immidiately back to me. But the list itself takes about 10 seconds to emerge.
hmmmmm...any thoughts on this?
Thanks to all! - Although I don't understand why this solution affects my SSH-connection once it's established..it works perfectly fine. I took my outgoing IP and entered it into the /etc/hosts file of the remote host; like this: 123.123.123.123 just_a_name -- ------------------------------ Med venlig hilsen/Best regards Verner Kjærsgaard Open Source Academy +45 56964223 Novell Certified Linux Professional 10035701 ------------------------------ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (7)
-
Bob Williams
-
Carlos E. R.
-
David C. Rankin
-
Matthias Bach
-
Petr Uzel
-
Sandy Drobic
-
Verner Kjærsgaard