From owner-freebsd-questions@FreeBSD.ORG Sat Apr 9 20:48:21 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 62149106566C for ; Sat, 9 Apr 2011 20:48:21 +0000 (UTC) (envelope-from illoai@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id EB45B8FC0C for ; Sat, 9 Apr 2011 20:48:20 +0000 (UTC) Received: by fxm11 with SMTP id 11so3849461fxm.13 for ; Sat, 09 Apr 2011 13:48:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=eSC0EFx/BXglZ2rciOM7RdTPpNeqAzqnygpKvqOCnrM=; b=TBrqAhZQgV8hfNIycI3ID38HZDJ90GQGShPgoHqktzmQtHeXzhyV7FLx4ej0EaIH+Z mOBV9PAqZ8YTrCn27w9IxJlxlZrsqySBqADGa2LjPlvBgkl6qXQtYAmtQWp0rid4VSFI AJYZChaAPE0Wf9ypAIsBLoULn5SQ2Pe3IMhIQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=JocFGB3wQHX/jOfn6oEBnz/j6e+wrTZK/UfF+Zc3bVQatIxcCzT7MhTnAaCJnmD7FE RaznLMjUG02r7IqV9NQWOXHs3WzPWc9qp87Ym9QDpeZDDrO4TaY9ny8yKSqvoc36bsGX E3VlAs0QQKO3GBGQEi1xQmpNYJKyMgH94SLNM= MIME-Version: 1.0 Received: by 10.223.99.153 with SMTP id u25mr3704994fan.112.1302382099328; Sat, 09 Apr 2011 13:48:19 -0700 (PDT) Received: by 10.223.93.137 with HTTP; Sat, 9 Apr 2011 13:48:19 -0700 (PDT) In-Reply-To: <20110409172218.75419.qmail@irelay.ssr.com> References: <20110409172218.75419.qmail@irelay.ssr.com> Date: Sat, 9 Apr 2011 16:48:19 -0400 Message-ID: From: "illoai@gmail.com" To: Scott Ballantyne Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: SSHD Strangeness X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Apr 2011 20:48:21 -0000 On 9 April 2011 13:22, Scott Ballantyne wrote: > >>On Fri, Apr 8, 2011 at 5:15 PM, illoai@gmail.com wrote= : >>>On 8 April 2011 15:22, Scott Ballantyne wrote: >>> I've never seen this before, but when ssh'ing to my server today, I >>> got: >>> >>> ssh_exchange_identification: Connection closed >> =A0 =A0Was this multiple log-in failures receiving the same >> =A0 =A0error message? >> >> =A0 =A0& is this log-in happening across the internet or is >> =A0 =A0this on your local network? > > Not sure what you mean by 'multiple log-in failures'. I tried many > times, each with the same result, if that's what you are asking. > > It was happening across the internet and also locally. When I logged > into the server with my vendors KVM tool, I tried ssh'ing to from the > server to the server, and got the same message. > > I thought there might have been a break-in, but who and 'w' didn't > show anyone logged in that shouldn't have been there. I killed all the > sshd processes and restarted it, that didn't help. > > ps -auxww did show a few, not many, sshd's in various states of > connectedness. I'm wondering if this is some kind of denial-of-service > attack opportunity. That's the only thing I can think of at the moment. I guess if the login name you are using is fairly obvious the script kiddies may be triggering the limit of MaxAuthTries I grokn't C, but your error is coming from http://svn.freebsd.org/viewvc/base/stable/8/crypto/openssh/sshconnect.c?rev= ision=3D206984&view=3Dmarkup ( http://is.gd/UGXcP0 ) HTH --=20 --