Solved

sshd crash?

Posted on 2002-06-13
4
572 Views
Last Modified: 2010-04-07
I noticed the following in my log files today :

Jun 13 07:10:29 mac1 sshd2[20167]: connection from "66.92.178.xx"
Jun 13 07:10:29 mac1 sshd2[20167]: connection from "66.92.178.xx"
Jun 13 07:10:30 mac1 sshd2[26222]: Remote host disconnected: Connection closed by remote host.
Jun 13 07:10:30 mac1 sshd2[26222]: connection lost: 'Connection closed by remote host.'
Jun 13 07:10:30 mac1 sshd[26223]: debug: F-SECURE SSH commercial
Jun 13 07:10:30 mac1 sshd[26223]: debug: sshd version 1.3.11 [i386-unknown-bsdi4.1]
Jun 13 07:10:30 mac1 sshd[26223]: debug: Forcing server key to 1152 bits to make it differ from host key.
Jun 13 07:10:30 mac1 sshd[26223]: debug: Initializing random number generator; seed file /etc/ssh_random_seed
Jun 13 07:10:30 mac1 sshd[26223]: debug: inetd sockets after dupping: 5, 6
Jun 13 07:10:30 mac1 sshd[26223]: log: Generating 1152 bit RSA key.
Jun 13 07:10:32 mac1 sshd[26223]: log: RSA key generation complete.
Jun 13 07:10:32 mac1 sshd[26223]: log: Connection from 66.92.178.66 port 4825
Jun 13 07:10:32 mac1 sshd[26223]: debug: Client protocol version 1.0; client software version SSH_Version_Mapper
Jun 13 07:10:32 mac1 sshd[26223]: fatal: Local: Your ssh version is too old and is no longer supported.  Please install a newer version.
Jun 13 07:10:32 mac1 sshd[26223]: debug: Calling cleanup 0x8057e04(0x0)
Jun 13 07:10:32 mac1 sshd2[20167]: connection from "66.92.178.66"
Jun 13 07:10:33 mac1 sshd2[26224]: Remote host disconnected: Connection closed by remote host.
Jun 13 07:10:33 mac1 sshd2[26224]: connection lost: 'Connection closed by remote host.'

To me, it looks like someone is running an exploit against my machine's sshd service.  What I see as happening is this guy trying to connect to my ssh port, which then forwards him on to sshd because he is using ssh1.  sshd starts up and reports that his client is too old, and disconnects him.

I just want to make sure that this is normal behavior.  It's a little frightening to see sshd display its debug information as if it crashed and restarted...

I've read F-Secure SSH 1.3.11-2 and later are not vulnerable to CAN-2001-0144, but I'm running 1.3.11...
If I am vulnerable, any advice on how to remotely upgrade ssh on a bsdi box? :)
0
Comment
Question by:smisk
  • 2
  • 2
4 Comments
 
LVL 16

Accepted Solution

by:
The--Captain earned 100 total points
ID: 7084203
That vulnerability only affected ssh v1 protocol, right?  It looks to me like your server is doing the right thing (tm), and dropping anyone who tries to use the old protocol.

This does not look like a crash to me - just a dropped connection.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:smisk
ID: 7084218
Cool.  I stopped accepting SSH1 connections anyway.

Thanks,
Steve
0
 
LVL 1

Author Comment

by:smisk
ID: 7084222
All I wanted was a second opinion... :)
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7084359
Thanks!  Many folks disable the debug facility in syslog for just these reasons (and heavy log activity can slow things down).

Cheers,
-Jon
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now