Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

sshd crash?

Posted on 2002-06-13
4
Medium Priority
?
613 Views
Last Modified: 2010-04-07
I noticed the following in my log files today :

Jun 13 07:10:29 mac1 sshd2[20167]: connection from "66.92.178.xx"
Jun 13 07:10:29 mac1 sshd2[20167]: connection from "66.92.178.xx"
Jun 13 07:10:30 mac1 sshd2[26222]: Remote host disconnected: Connection closed by remote host.
Jun 13 07:10:30 mac1 sshd2[26222]: connection lost: 'Connection closed by remote host.'
Jun 13 07:10:30 mac1 sshd[26223]: debug: F-SECURE SSH commercial
Jun 13 07:10:30 mac1 sshd[26223]: debug: sshd version 1.3.11 [i386-unknown-bsdi4.1]
Jun 13 07:10:30 mac1 sshd[26223]: debug: Forcing server key to 1152 bits to make it differ from host key.
Jun 13 07:10:30 mac1 sshd[26223]: debug: Initializing random number generator; seed file /etc/ssh_random_seed
Jun 13 07:10:30 mac1 sshd[26223]: debug: inetd sockets after dupping: 5, 6
Jun 13 07:10:30 mac1 sshd[26223]: log: Generating 1152 bit RSA key.
Jun 13 07:10:32 mac1 sshd[26223]: log: RSA key generation complete.
Jun 13 07:10:32 mac1 sshd[26223]: log: Connection from 66.92.178.66 port 4825
Jun 13 07:10:32 mac1 sshd[26223]: debug: Client protocol version 1.0; client software version SSH_Version_Mapper
Jun 13 07:10:32 mac1 sshd[26223]: fatal: Local: Your ssh version is too old and is no longer supported.  Please install a newer version.
Jun 13 07:10:32 mac1 sshd[26223]: debug: Calling cleanup 0x8057e04(0x0)
Jun 13 07:10:32 mac1 sshd2[20167]: connection from "66.92.178.66"
Jun 13 07:10:33 mac1 sshd2[26224]: Remote host disconnected: Connection closed by remote host.
Jun 13 07:10:33 mac1 sshd2[26224]: connection lost: 'Connection closed by remote host.'

To me, it looks like someone is running an exploit against my machine's sshd service.  What I see as happening is this guy trying to connect to my ssh port, which then forwards him on to sshd because he is using ssh1.  sshd starts up and reports that his client is too old, and disconnects him.

I just want to make sure that this is normal behavior.  It's a little frightening to see sshd display its debug information as if it crashed and restarted...

I've read F-Secure SSH 1.3.11-2 and later are not vulnerable to CAN-2001-0144, but I'm running 1.3.11...
If I am vulnerable, any advice on how to remotely upgrade ssh on a bsdi box? :)
0
Comment
Question by:smisk
  • 2
  • 2
4 Comments
 
LVL 16

Accepted Solution

by:
The--Captain earned 300 total points
ID: 7084203
That vulnerability only affected ssh v1 protocol, right?  It looks to me like your server is doing the right thing (tm), and dropping anyone who tries to use the old protocol.

This does not look like a crash to me - just a dropped connection.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:smisk
ID: 7084218
Cool.  I stopped accepting SSH1 connections anyway.

Thanks,
Steve
0
 
LVL 1

Author Comment

by:smisk
ID: 7084222
All I wanted was a second opinion... :)
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7084359
Thanks!  Many folks disable the debug facility in syslog for just these reasons (and heavy log activity can slow things down).

Cheers,
-Jon
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question