Solved

sshd crash?

Posted on 2002-06-13
4
568 Views
Last Modified: 2010-04-07
I noticed the following in my log files today :

Jun 13 07:10:29 mac1 sshd2[20167]: connection from "66.92.178.xx"
Jun 13 07:10:29 mac1 sshd2[20167]: connection from "66.92.178.xx"
Jun 13 07:10:30 mac1 sshd2[26222]: Remote host disconnected: Connection closed by remote host.
Jun 13 07:10:30 mac1 sshd2[26222]: connection lost: 'Connection closed by remote host.'
Jun 13 07:10:30 mac1 sshd[26223]: debug: F-SECURE SSH commercial
Jun 13 07:10:30 mac1 sshd[26223]: debug: sshd version 1.3.11 [i386-unknown-bsdi4.1]
Jun 13 07:10:30 mac1 sshd[26223]: debug: Forcing server key to 1152 bits to make it differ from host key.
Jun 13 07:10:30 mac1 sshd[26223]: debug: Initializing random number generator; seed file /etc/ssh_random_seed
Jun 13 07:10:30 mac1 sshd[26223]: debug: inetd sockets after dupping: 5, 6
Jun 13 07:10:30 mac1 sshd[26223]: log: Generating 1152 bit RSA key.
Jun 13 07:10:32 mac1 sshd[26223]: log: RSA key generation complete.
Jun 13 07:10:32 mac1 sshd[26223]: log: Connection from 66.92.178.66 port 4825
Jun 13 07:10:32 mac1 sshd[26223]: debug: Client protocol version 1.0; client software version SSH_Version_Mapper
Jun 13 07:10:32 mac1 sshd[26223]: fatal: Local: Your ssh version is too old and is no longer supported.  Please install a newer version.
Jun 13 07:10:32 mac1 sshd[26223]: debug: Calling cleanup 0x8057e04(0x0)
Jun 13 07:10:32 mac1 sshd2[20167]: connection from "66.92.178.66"
Jun 13 07:10:33 mac1 sshd2[26224]: Remote host disconnected: Connection closed by remote host.
Jun 13 07:10:33 mac1 sshd2[26224]: connection lost: 'Connection closed by remote host.'

To me, it looks like someone is running an exploit against my machine's sshd service.  What I see as happening is this guy trying to connect to my ssh port, which then forwards him on to sshd because he is using ssh1.  sshd starts up and reports that his client is too old, and disconnects him.

I just want to make sure that this is normal behavior.  It's a little frightening to see sshd display its debug information as if it crashed and restarted...

I've read F-Secure SSH 1.3.11-2 and later are not vulnerable to CAN-2001-0144, but I'm running 1.3.11...
If I am vulnerable, any advice on how to remotely upgrade ssh on a bsdi box? :)
0
Comment
Question by:smisk
  • 2
  • 2
4 Comments
 
LVL 16

Accepted Solution

by:
The--Captain earned 100 total points
ID: 7084203
That vulnerability only affected ssh v1 protocol, right?  It looks to me like your server is doing the right thing (tm), and dropping anyone who tries to use the old protocol.

This does not look like a crash to me - just a dropped connection.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:smisk
ID: 7084218
Cool.  I stopped accepting SSH1 connections anyway.

Thanks,
Steve
0
 
LVL 1

Author Comment

by:smisk
ID: 7084222
All I wanted was a second opinion... :)
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7084359
Thanks!  Many folks disable the debug facility in syslog for just these reasons (and heavy log activity can slow things down).

Cheers,
-Jon
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now