Why Am I Seeing Login Errors of Code: C_515 When I Use a Web Browser for Resource O&M?
Symptoms
When a user attempts to log in to a Linux or Windows host using a web browser, a login error (Code: C_515) is reported, indicating that an error occurs and the user can try again or contact the administrator.
Possible Causes
- Cause 1: The number of incorrect password attempts exceeds the upper limit for Linux hosts. As a result, the CBH IP address is added to the /etc/hosts.deny file.
- Cause 2: Host Security Service (HSS) is enabled on the Linux host. After multiple login attempts with incorrect passwords, the internal IP address of CBH is added to the /etc/sshd.deny.hostguard file by HSS.
- Cause 3: CBH does not support the SSH algorithms used by host OSs. (Only for CBH earlier than V3.3.38.0)
- Cause 4: The firewall is enabled on the Windows host. So the network between the bastion host and the host cannot be connected.
Removing Restriction from /etc/hosts.deny
- Log in to the Linux Server as an administrator.
- Run the following command to view the /var/log/secure log and check whether the host rejects the IP address of the CBH instance:
cat /var/log/secure
- Run the following command to edit the /etc/hosts.deny file and delete the IP address of the CBH instance from the file:
vim /etc/hosts.deny
- (Optional) Whitelist the CBH IP address.
To use the CBH instance properly, run the following command to edit the /etc/hosts.allow file on the Linux host and allow all CBH IP addresses to log in to the host:
vim /etc/hosts.allow
Removing IP Address Restrictions from HSS
- View the /etc/sshd.deny.hostguard file.
- Log in to the Linux Server as an administrator.
- Run the following command to query the /etc/sshd.deny.hostguard file:
cat /etc/sshd.deny.hostguard
- Run the following command to open the /etc/sshd.deny.hostguard file:
vim /etc/sshd.deny.hostguard
- Check whether the /etc/sshd.deny.hostguard file contains the CBH internal IP address.
- On the HSS management console, remove the IP address restriction.
- Log in to the HSS console.
- Log in to the HSS console.
- Choose Intrusions > Events.
- In the Alarm Statistics area, click Blocked IP Addresses.
- Locate and select the row that contains the CBH internal IP address, and click Unblock above the upper left corner of the list.
- (Optional) Whitelist the CBH IP address.
On the HSS console, whitelist the CBH IP address on the Linux server.

Using CBH to manage passwords of host accounts and periodically synchronize accounts can prevent the CBH IP address from being blacklisted caused by entering incorrect passwords or using of unsynchronized zombie accounts.
Removing SSH Algorithm Restrictions
- Check the server configuration file /etc/ssh/sshd_config.
- Log in to the Linux Server as an administrator.
- Run the following command to query the /etc/ssh/sshd_config file:
1
cat /etc/ssh/sshd_config
- Run the following command to open the /etc/ssh/sshd_config file:
1
vim /etc/ssh/sshd_config
- Add the following algorithm parameters to the end of the HostKeyAlgorithms line:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519,ssh-rsa,ssh-dss
If the HostKeyAlgorithms line cannot be found in the queried file, the parameter may be missing. In this case, add the following parameters and algorithms under the Ciphers and keying line:
HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519,ssh-rsa,ssh-dss
To add other algorithms, see Using an SSH Client to Log In to Resources for O&M.
- After the algorithm is added, run the following command to check all supported algorithms and ensure that the algorithm to be modified or added exists:
1
sshd -T | grep pubkey
- If Nmap is installed on the server, you can also run the following command to query the information:
1
nmap --script ssh2-enum-algos -sV -p 22 Server IP address
If the key exchange algorithm does not match in Nmap mode, modify the server configuration temporarily.- Run the following command to open the /etc/ssh/sshd_config file:
1
vim /etc/ssh/sshd_config
- Run the following commands to add parameters and algorithms:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256
If the KexAlgorithms parameter already exists, add an algorithm.
- After the configuration, run the following command to restart the sshd service on the server:
1
systemctl restart sshd
- Run the following command to open the /etc/ssh/sshd_config file:
- If Nmap is installed on the server, you can also run the following command to query the information:
- Run the following command to restart the SSH service:
1
systemctl restart sshd
Whitelisting the IP Address of the Bastion Host
For Windows server login failure caused by firewall settings, whitelist the IP address of the bastion host on the firewall.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot