From owner-freebsd-questions@FreeBSD.ORG  Sat Apr  9 17:32:15 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 131F2106564A
	for <freebsd-questions@freebsd.org>;
	Sat,  9 Apr 2011 17:32:15 +0000 (UTC) (envelope-from sdb@ssr.com)
Received: from mailhost.ssr.com (mailhost.ssr.com [199.4.235.5])
	by mx1.freebsd.org (Postfix) with SMTP id C669A8FC08
	for <freebsd-questions@freebsd.org>;
	Sat,  9 Apr 2011 17:32:14 +0000 (UTC)
Received: (qmail 66809 invoked from network); 9 Apr 2011 17:29:56 -0000
Received: from pool-96-246-107-223.nycmny.east.verizon.net (HELO
	irelay.ssr.com) (sdb@96.246.107.223)
	by 199.4.235.5 with SMTP; 9 Apr 2011 17:29:56 -0000
Received: (qmail 75420 invoked by uid 103); 9 Apr 2011 17:22:18 -0000
Date: 9 Apr 2011 17:22:18 -0000
Message-ID: <20110409172218.75419.qmail@irelay.ssr.com>
From: Scott Ballantyne <sdb@ssr.com>
To: freebsd-questions@freebsd.org
Subject: Re: SSHD Strangeness
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Apr 2011 17:32:15 -0000


>On Fri, Apr 8, 2011 at 5:15 PM, illoai@gmail.com <illoai@gmail.com> wrote:
>>On 8 April 2011 15:22, Scott Ballantyne <sdb@ssr.com> wrote:
>> I've never seen this before, but when ssh'ing to my server today, I
>> got:
>>
>> ssh_exchange_identification: Connection closed
>    Was this multiple log-in failures receiving the same
>    error message?
>
>    & is this log-in happening across the internet or is
>    this on your local network?

Not sure what you mean by 'multiple log-in failures'. I tried many
times, each with the same result, if that's what you are asking.

It was happening across the internet and also locally. When I logged
into the server with my vendors KVM tool, I tried ssh'ing to from the
server to the server, and got the same message.

I thought there might have been a break-in, but who and 'w' didn't
show anyone logged in that shouldn't have been there. I killed all the
sshd processes and restarted it, that didn't help.

ps -auxww did show a few, not many, sshd's in various states of
connectedness. I'm wondering if this is some kind of denial-of-service
attack opportunity. That's the only thing I can think of at the moment.

I'm not using the host allow/deny stuff, and unfortunately did not
think to use ssh -W.

Thanks!

Scott
-- 
sdb@ssr.com