QRadar: Troubleshooting SSH when connections cannot be established

Created by Curt Wolfson on Fri, 07/26/2019 - 13:54
Published URL:
https://www.ibm.com/support/pages/node/960868
960868

Troubleshooting


Problem

If you cannot SSH from the Console, it might be the result that SSH keys are corrupted or have permission issues. This article talks about how to diagnose and resolve these types of issues.

Resolving The Problem

If you cannot SSH from the Console, the following examples provide administrators an overview of what can prevent an SSH connection in QRadar with potential solutions.

Review the permissions within the SSH directory (Console & managed hosts)

Permissions in the /root/.ssh/ directory must be 700 (rwx------) and the files within the directory must be 600 (rw-------). Run the following steps to review your permissions:
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Check the permissions of the /root/.ssh/ directory by using the ls command:
    ls -lah /root/.ssh/
    Output example:
    total 24
    drwx------ 2 root root 4096 May 2 18:35 .
    dr-xr-x---. 4 root root 4096 May 2 18:38 ..
    -rw------- 1 root nobody 426 May 2 18:35 authorized_keys
    -rw------- 1 root nobody 1675 May 2 18:25 id_rsa
    -rw------- 1 root nobody 406 May 2 18:25 id_rsa.pub
    -rw------- 1 root root 788 May 2 18:25 known_hosts
    Result
    Administrator reviewed the permissions for the SSH directory and files. If the permissions are not correct, follow the steps in the Solution section.
Solution
If permissions are not correct, administrators need to assign the correct permissions by running the following steps:
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Assign the correct permissions for the /root/.ssh/ directory:
    chmod 700 /root/.ssh
  3. Assign the correct permissions for the files in the /root/.ssh/ directory:
    chmod 600 /root/.ssh/*
    Result
    Administrator assigned the correct permissions for the SSH files and directory.

Review the console's public key is present in the managed host

If the console's public key (/root/.ssh/id_rsa.pub) is not in the remote host's /root/.ssh/authorized_keys, the SSH session requests a password. The password request prevents SSH tunnels from initiating and causes services connection issues in the deployment.

Run the following steps to determine whether the password is required:
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Try to connect to a managed host by using SSH:
    ssh <remote_host>
    Output example:
    root@<remote_host>'s password:
    Result
    Administrator confirmed that password is required to establish a connection with a managed host.

Solution

Validate if the remote host's public key exists in the console's known_hosts file

If the remote host's public key is not stored in the console's /root/.ssh/known_hosts file, the SSH connection fails because QRadar configures SSH with strict host validation.
 
Run the following steps to confirm that the remote host's public key is not stored in the console's known_hosts file:
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Try to connect to a managed host by using SSH:
    ssh <remote_host>
    Output example:
    ERROR: No ECDSA host key is known for <Remote Host IP> and you have requested strict checking.
    ERROR: Host key verification failed.
    Result
    Administrator confirmed that the connection is not established because of the missing key.

Solution

Validate if the remote host's public key is different than the one existing in the console's known_hosts file

If the remote host's public key is different than the one stored in the console's /root/.ssh/known_hosts file, the SSH connection fails because SSH prevents the connection as a security measure.
Run the following steps to confirm that the remote host's public key is different than the one stored in the console's known_hosts file:
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Try to connect to a managed host by using SSH:
    ssh <remote_host>
    Output example:
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the ECDSA key sent by the remote host is
    SHA256:JwHDVTX+Sl0K3+WDY3rOm5E5ww/TIlQnz1v7r9EUC8w.
    Please contact your system administrator.
    Add correct host key in /root/.ssh/known_hosts to get rid of this message.
    Offending ECDSA key in /root/.ssh/known_hosts:X
    ECDSA host key for X.X.X.X has changed and you have requested strict checking.
    Host key verification failed.
    Result
    Administrator confirmed that the connection is not established because of a public key mismatch.
Solution
Follow the steps on QRadar: SSH fails with error "Offending ECDSA key in /root/.ssh/known_hosts:".
 

Internal Use Only

Jira Update: https://jira.secintel.intranet.ibm.com/browse/SUP-3013

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Deploy","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
25 October 2023

UID

ibm10960868