ECS:由于节点上的 SSH 速率限制器,节点锁定失败

Summary: 升级到 ECS 4.0 后,如果节点上激活了 SSH 速率限制器,则锁定节点的尝试可能会失败。这会导致节点状态在 ECS Web UI 中显示为“未知”或“已锁定”,而 SSH 访问仍然可用。应用与 SLES15 不兼容的 SSH 速率限制器的 STIG 规则会导致此问题。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

升级到 ECS 4.0 后观察到问题。

节点状态在 ECS Web UI 中显示为“未知”或“已锁定”。

CLI 锁定命令无法运行。

尽管尝试锁定,但对节点的 SSH 访问仍然可用。

节点状态在 ECS Web UI 中显示为“未知”或“已锁定”  

Cause

存在使用 STIG 规则 (SLES-12-030040) 应用的 SSH 速率限制器会导致此问题。此规则与 SLES15 不兼容,一旦应用,将无法使用 SLES12 STIG 框架进行恢复。

以下命令显示有关作系统的信息:

admin@node1:~> cat /etc/os-release
NAME="SLES"
VERSION="15-SP4"
VERSION_ID="15.4"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp4"
DOCUMENTATION_URL="https://documentation.suse.com/"

Resolution

要解决此问题,请从受影响的一个或多个节点中删除 SSH 速率限制器:

  1. 检查 SSH 速率限制器: 
admin@node1:~> sudo iptables -L | grep limit  | grep ssh
LOG        tcp  --  anywhere             anywhere             limit: avg 3/min burst 5 tcp dpt:ssh ctstate NEW recent: CHECK seconds: 60 hit_count: 3 name: ssh side: source mask: 255.255.255.255 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROPr "
  1. 恢复 STIG 规则:
admin@node1:~> cd /opt/emc/security/hardening/root/sbin; sudo ./revert-harden -i SLES-12-030040
Changes reverted: FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
Changes reverted: TCP="ssh"
Restarting SuSEfirewall2.service ...
SuSEfirewall2.service restarted successfully.
Reverted STIG ID: SLES-12-030040 on /etc/sysconfig/SuSEfirewall2.d/services/sshd successfully
  1. 验证更改:
admin@node1:/opt/emc/security/hardening/root/sbin> sudo iptables -L | grep limit  | grep ssh
  1. 使用 WEB UI 或 CLI 锁定节点:
admin@node1:~> sudo -i lockdown set lock
[lockdown] :Info: Suspend fabric agent firewall check
INFO: Parsing /opt/emc/nile/etc/conf/nan/emc-firewall-cfg
dev_ext: public - dev_int: private private.4 pslave-0 pslave-1
INFO: Updating /etc/sysconfig/SuSEfirewall2.d/services/emc-ecs-custom
INFO: Updating /etc/sysconfig/SuSEfirewall2
<38>Jun 25 10:34:47 SuSEfirewall2[32514]: Firewall rules unloaded.
<38>Jun 25 10:34:47 SuSEfirewall2[32594]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
<38>Jun 25 10:34:47 SuSEfirewall2[32594]: using default zone 'ext' for interface docker0
<38>Jun 25 10:34:47 SuSEfirewall2[32594]: using default zone 'ext' for interface public_mgmt
<38>Jun 25 10:34:47 SuSEfirewall2[32594]: using default zone 'ext' for interface slave_0
<38>Jun 25 10:34:47 SuSEfirewall2[32594]: using default zone 'ext' for interface slave_1
<38>Jun 25 10:34:47 SuSEfirewall2[32594]: Firewall custom rules loaded from /opt/emc/nile/etc/conf/nan/nan_pbr_rules
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/all/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/default/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/docker0/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/lo/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/private/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/pslave-0/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/pslave-1/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/public/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:48 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/slave-0/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:49 SuSEfirewall2[32594]: /proc/sys/net/ipv4/conf/slave-1/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:49 SuSEfirewall2[32594]: Firewall rules successfully set
INFO: Updating /etc/sysconfig/SuSEfirewall2
<38>Jun 25 10:34:57 SuSEfirewall2[35003]: Firewall rules unloaded.
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: using default zone 'ext' for interface docker0
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: using default zone 'ext' for interface public_mgmt
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: using default zone 'ext' for interface slave_0
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: using default zone 'ext' for interface slave_1
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: Firewall custom rules loaded from /opt/emc/nile/etc/conf/nan/nan_pbr_rules
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/all/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/default/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/docker0/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/lo/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:57 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/private/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:58 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/pslave-0/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:58 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/pslave-1/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:58 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/public/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:58 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/slave-0/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:58 SuSEfirewall2[35084]: /proc/sys/net/ipv4/conf/slave-1/rp_filter override in /etc/sysctl.d/70-nan-performance.conf, not setting it
<38>Jun 25 10:34:59 SuSEfirewall2[35084]: Firewall rules successfully set
locked
[lockdown] :Info: Resume fabric agent firewall check

Additional Information

此解决方法仅适用于运行 SLES15 且之前应用了 SLES12 STIG 框架的节点。在应用或恢复 STIG 规则之前,请确保兼容性。

Affected Products

ECS Appliance Gen 3, ECS Appliance Hardware Gen3 EX500, ECS Appliance Hardware Series

Products

ECS, ObjectScale, ECS Appliance Hardware Gen3 EX5000, ECS Appliance, ECS Appliance Hardware Gen3 EX300, ECS Appliance Hardware Gen3 EX3000, ECS Appliance Hardware Gen3 EXF900, ECS Appliance Software with Encryption , ECS Appliance Software without Encryption ...
Article Properties
Article Number: 000337531
Article Type: Solution
Last Modified: 24 Sept 2025
Version:  2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.