You don't indicate the type of system you are using to login from. If it is a system using the ssh command, then the following should provide useful information. On the few Windows machines here, cygwin is installed so they can be administered using linux commands ***

# ssh -l root -vvv your.clearos.ip

You should also be able to log in from the clearos console, stop sshd using systemctl, then start sshd manually using multiple -d options to get debug output on the console...

All of the ssh problems here have been resolved after a resolution of any of the following issues...

1) Incorrect permissions for the ~/.ssh directory or contents
2) Inappropriate options in the /etc/ssh/sshd_config file
3) Forgetting to give the user a shell using the Shell Extension app in Webconfig

Note also that the use of DSA keys in rhel/centos/clearos 7.x openssh is deprecated, so if you need to use them, then options are required to be added to either or both ssh/sshd config files...

*** this is extremely useful when the the windows graphics screen locks up ignoring mouse and keyboard input - mostly windows is still running, so you can login using ssh and then shutdown the system gracefully using "shutdown -h now" or reboot using "shutdown -r now", rather than holding down the power-on button...

I have no idea on this one. You can google around. I tried looking for "ssh closes on login" and found posts like this - but don't go changing things like PAM settings. In order to get access to your system you may need to boot into recovery mode. The documentation is incomplete for v7 here and is better for v6 here. Alternatively you can boot from any live CD (I use Porteus but it is a slightly strange distro).

Form those links I'd look for /bin/false or /sbin/nologin in the /etc/passwd file for root.

As you have webconfig access, are you able to install the Shell Extension app and give a user SSH access? I suspect, even if you can, the usser won't get su or sudo access.

[edit]
Note, if you use a recovery disk or live cd/usb, the files you need to check are not the actual /etc/passwd or whatever files. Those are form the sustem you booted from. You need to navigate to where your recovery system has mounted your ClearOS disk.
[/edit]

btw, I called to HPE and they said me to ask on this forum and try the "Clearing the BIOS settings by using the CMOS header" i did with the jumper and the login continue on the same situation

Hi Nick,

it is not a password issue, because if it was that way I can not access to the webconfig

I did the ssh login yesterday and get this from the logs

Secure

Nov 8 14:09:52 server sshd[12498]: Accepted password for root from 192.168.1.51 port 50267 ssh2
Nov 8 14:09:52 server sshd[12498]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 8 14:09:52 server sshd[12498]: pam_unix(sshd:session): session closed for user root

Message

Nov 8 14:09:52 server systemd: Created slice User Slice of root.
Nov 8 14:09:52 server systemd: Starting User Slice of root.
Nov 8 14:09:52 server systemd-logind: New session 211 of user root.
Nov 8 14:09:52 server systemd: Started Session 211 of user root.
Nov 8 14:09:52 server systemd: Starting Session 211 of user root.
Nov 8 14:09:52 server systemd-logind: Removed session 211.
Nov 8 14:09:52 server systemd: Removed slice User Slice of root.
Nov 8 14:09:52 server systemd: Stopping User Slice of root.

Those are from the exact moment I logged in and the server kick me out

At the system log there is nothing on the time

Thanks for your help

It has been pointed out to me that accessing ClearOS directly from the console does not use ssh, so it is more likely to be a password issue.

Is this machine on your LAN? I would hope so with no firewall. If it is, please can you remove port forwarding of ssh to it to at least stop others from trying to access it.

What I was hoping you would do is try to ssh into it then capture what happened in your logs.

Hi Nick

First of all, thank you so much to taking time helping me

As I said, I have access to the webconfig, so I did what you indicated me (I am including the SSH, Firewall, and Network configuration)

I did the looking for the message, system and secure (by the way it begins to fail on November 4) so I found on messages log this:

Nov 4 12:27:11 server systemd: sshd.service: main process exited, code=killed, status=9/KILL
Nov 4 12:27:11 server systemd: Unit sshd.service entered failed state.
Nov 4 12:27:11 server systemd: sshd.service failed.
Nov 4 12:27:53 server systemd: sshd.service holdoff time over, scheduling restart.
Nov 4 18:21:45 server webconfig: Redirecting to /bin/systemctl stop sshd.service
Nov 4 18:21:55 server webconfig: Redirecting to /bin/systemctl start sshd.service

at the secure I found repeated message like this:

Nov 4 21:48:09 server sshd[19303]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Nov 4 21:48:11 server sshd[19303]: Failed password for root from 68.183.125.253 port 55672 ssh2
Nov 4 21:48:11 server sshd[19303]: Received disconnect from 68.183.125.253 port 55672:11: Bye Bye [preauth]
Nov 4 21:48:11 server sshd[19303]: Disconnected from 68.183.125.253 port 55672 [preauth]
Nov 4 21:48:12 server sshd[19305]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=68.183.125.253 user=root

but like you can see this IP is not from my location, these are attempts to access the server

Is there something else I can do?

Thank you again

Can you navigate to Webconfig > Network > Infrastructure > SSH Server and check it is running and make a screendump of the settings.

Then install the Log Viewer from the Marketplace, if you don't have it, and try to connect to ssh then have a look at your logs through Webconfig > Reports > Performance and Resources > Log Viewer and look in the secure log. Filter for ssh.

You can try all the principal logs (messages, secure and system) and filter by time by putting something like:

Nov  7 12:3

in the filter. You need to type it in rather than copy from the screen which removes spaces. In the date there are 2 spaces between the v and 7. Look for any obvious errors and authentication rejections. You can also use the search feature but you'll have to play with it. You'd need to quote the date search.

Especially once filtered by date and a bit of time (perhaps just the hour), you can then export the results of the query and use a text editor (e.g.Notepad++) to look at the logs in slow time.

Yes I have access to the webconfig, it is the only thing i can access, that is why I know that I am getting logging in and logging out, becuase the reports. And, 'no' ... I didnt disable root logins in the webconfig. So I am really worried, cause without access to the console (SSH or directly) I cant do anything. I even try to get a backup of older configuration, but it didnt work either.

If it actually logs you in and then back out I don't know what to do as you may have a failing process but can't get to it. Did you disable root logins in the webconfig? Do you have access to the webconfig?

Hi my friend,

Thank you for your help, I tried what you said
- I get the interface : enp2s0f0
- Exit to the text console
- press Alt + F2 and get the request the user and password
- and the problem again, as soon as I put the root and the password correct the system login me and logged me out again
So, I am in the same situation

Please do you have any other suggestion, I am losing my mind with this

Thanks

Opening SSH to the internet will get lots of hostile login attempts. Even changing ports does not totally help. If you require external access, longer term I suggest you use OpenVPN to connect to the server then you can SSH to the server as if you are on your LAN.

How did you close the ports? Through the webconfig? Does your Webconfig still work? Can you get to the console? From the console you can get to a command line but mine is broken for the moment. If you have the graphical console note the name of your LAN interface - probably enp2s0f0 of enp2s0f1. Then exit to a text console then you get an option to go alt+f2 for a shell terminal. At the command line, can you then type:

iptables -I INPUT -s your_LAN_interface -j ACCEPT

This will insert a temporary firewall rule. If you play with the firewall in the Webconfig you will lose this rule and have to reapply it.

Then see if you can get into PuTTY. If you can, please give the output to:

iptables -nvL

[edit]
As a thought, if you are using the Attack Detector, you could have locked out your IP by incorrect passwords. You can test that by trying to log on from another PC. If it is the Attack Detector the ban will be lifted in 24H, and you may want to consider whitelisting your LAN (see its documentation).
[/edit]