Solved

sshd crash?

Posted on 2002-06-13
4
591 Views
Last Modified: 2010-04-07
I noticed the following in my log files today :

Jun 13 07:10:29 mac1 sshd2[20167]: connection from "66.92.178.xx"
Jun 13 07:10:29 mac1 sshd2[20167]: connection from "66.92.178.xx"
Jun 13 07:10:30 mac1 sshd2[26222]: Remote host disconnected: Connection closed by remote host.
Jun 13 07:10:30 mac1 sshd2[26222]: connection lost: 'Connection closed by remote host.'
Jun 13 07:10:30 mac1 sshd[26223]: debug: F-SECURE SSH commercial
Jun 13 07:10:30 mac1 sshd[26223]: debug: sshd version 1.3.11 [i386-unknown-bsdi4.1]
Jun 13 07:10:30 mac1 sshd[26223]: debug: Forcing server key to 1152 bits to make it differ from host key.
Jun 13 07:10:30 mac1 sshd[26223]: debug: Initializing random number generator; seed file /etc/ssh_random_seed
Jun 13 07:10:30 mac1 sshd[26223]: debug: inetd sockets after dupping: 5, 6
Jun 13 07:10:30 mac1 sshd[26223]: log: Generating 1152 bit RSA key.
Jun 13 07:10:32 mac1 sshd[26223]: log: RSA key generation complete.
Jun 13 07:10:32 mac1 sshd[26223]: log: Connection from 66.92.178.66 port 4825
Jun 13 07:10:32 mac1 sshd[26223]: debug: Client protocol version 1.0; client software version SSH_Version_Mapper
Jun 13 07:10:32 mac1 sshd[26223]: fatal: Local: Your ssh version is too old and is no longer supported.  Please install a newer version.
Jun 13 07:10:32 mac1 sshd[26223]: debug: Calling cleanup 0x8057e04(0x0)
Jun 13 07:10:32 mac1 sshd2[20167]: connection from "66.92.178.66"
Jun 13 07:10:33 mac1 sshd2[26224]: Remote host disconnected: Connection closed by remote host.
Jun 13 07:10:33 mac1 sshd2[26224]: connection lost: 'Connection closed by remote host.'

To me, it looks like someone is running an exploit against my machine's sshd service.  What I see as happening is this guy trying to connect to my ssh port, which then forwards him on to sshd because he is using ssh1.  sshd starts up and reports that his client is too old, and disconnects him.

I just want to make sure that this is normal behavior.  It's a little frightening to see sshd display its debug information as if it crashed and restarted...

I've read F-Secure SSH 1.3.11-2 and later are not vulnerable to CAN-2001-0144, but I'm running 1.3.11...
If I am vulnerable, any advice on how to remotely upgrade ssh on a bsdi box? :)
0
Comment
Question by:smisk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 16

Accepted Solution

by:
The--Captain earned 100 total points
ID: 7084203
That vulnerability only affected ssh v1 protocol, right?  It looks to me like your server is doing the right thing (tm), and dropping anyone who tries to use the old protocol.

This does not look like a crash to me - just a dropped connection.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:smisk
ID: 7084218
Cool.  I stopped accepting SSH1 connections anyway.

Thanks,
Steve
0
 
LVL 1

Author Comment

by:smisk
ID: 7084222
All I wanted was a second opinion... :)
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7084359
Thanks!  Many folks disable the debug facility in syslog for just these reasons (and heavy log activity can slow things down).

Cheers,
-Jon
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month7 days, 23 hours left to enroll

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question