From owner-freebsd-security@FreeBSD.ORG Sat Sep 14 13:06:25 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 56A32E9B for ; Sat, 14 Sep 2013 13:06:25 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from smtp.digiware.nl (unknown [IPv6:2001:4cb8:90:ffff::3]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 13A0325F8 for ; Sat, 14 Sep 2013 13:06:25 +0000 (UTC) Received: from rack1.digiware.nl (unknown [127.0.0.1]) by smtp.digiware.nl (Postfix) with ESMTP id D6801153439; Sat, 14 Sep 2013 15:06:20 +0200 (CEST) X-Virus-Scanned: amavisd-new at digiware.nl Received: from smtp.digiware.nl ([127.0.0.1]) by rack1.digiware.nl (rack1.digiware.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9TBYz93PHpSg; Sat, 14 Sep 2013 15:06:19 +0200 (CEST) Received: from [IPv6:2001:4cb8:3:1:8893:549f:c4aa:bb70] (unknown [IPv6:2001:4cb8:3:1:8893:549f:c4aa:bb70]) by smtp.digiware.nl (Postfix) with ESMTP id C6D0D153435; Sat, 14 Sep 2013 15:06:19 +0200 (CEST) Message-ID: <52345F43.5070601@digiware.nl> Date: Sat, 14 Sep 2013 15:06:11 +0200 From: Willem Jan Withagen Organization: Digiware Management b.v. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Odd sshd entry in auth.log References: <20130914120151.GY25357@albert.catwhisker.org> In-Reply-To: <20130914120151.GY25357@albert.catwhisker.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Sep 2013 13:06:25 -0000 On 2013-09-14 14:01, David Wolfskill wrote: > Sep 13 12:43:24 albert sshd[43949]: fatal: Read from socket failed: Connection reset by peer [preauth] I see plentyu of these, if only because I test the sshd availablity with nagios without actually going thru the full login... I just abort once I see sshd report it's availability on the port. Hence the 'reset by peer [preauth].' Like DES says: Scanners generate more or less the same behavior. They scan, and try to determine if you are running a vulnerable sshd or something else they can work with.... I still have a wish on my todo to see if it is possible to report the ipnr... And then block hosts with to many tries. But it's not really high on the agenda... --WjW