Solved

sshd crash?

Posted on 2002-06-13
4
579 Views
Last Modified: 2010-04-07
I noticed the following in my log files today :

Jun 13 07:10:29 mac1 sshd2[20167]: connection from "66.92.178.xx"
Jun 13 07:10:29 mac1 sshd2[20167]: connection from "66.92.178.xx"
Jun 13 07:10:30 mac1 sshd2[26222]: Remote host disconnected: Connection closed by remote host.
Jun 13 07:10:30 mac1 sshd2[26222]: connection lost: 'Connection closed by remote host.'
Jun 13 07:10:30 mac1 sshd[26223]: debug: F-SECURE SSH commercial
Jun 13 07:10:30 mac1 sshd[26223]: debug: sshd version 1.3.11 [i386-unknown-bsdi4.1]
Jun 13 07:10:30 mac1 sshd[26223]: debug: Forcing server key to 1152 bits to make it differ from host key.
Jun 13 07:10:30 mac1 sshd[26223]: debug: Initializing random number generator; seed file /etc/ssh_random_seed
Jun 13 07:10:30 mac1 sshd[26223]: debug: inetd sockets after dupping: 5, 6
Jun 13 07:10:30 mac1 sshd[26223]: log: Generating 1152 bit RSA key.
Jun 13 07:10:32 mac1 sshd[26223]: log: RSA key generation complete.
Jun 13 07:10:32 mac1 sshd[26223]: log: Connection from 66.92.178.66 port 4825
Jun 13 07:10:32 mac1 sshd[26223]: debug: Client protocol version 1.0; client software version SSH_Version_Mapper
Jun 13 07:10:32 mac1 sshd[26223]: fatal: Local: Your ssh version is too old and is no longer supported.  Please install a newer version.
Jun 13 07:10:32 mac1 sshd[26223]: debug: Calling cleanup 0x8057e04(0x0)
Jun 13 07:10:32 mac1 sshd2[20167]: connection from "66.92.178.66"
Jun 13 07:10:33 mac1 sshd2[26224]: Remote host disconnected: Connection closed by remote host.
Jun 13 07:10:33 mac1 sshd2[26224]: connection lost: 'Connection closed by remote host.'

To me, it looks like someone is running an exploit against my machine's sshd service.  What I see as happening is this guy trying to connect to my ssh port, which then forwards him on to sshd because he is using ssh1.  sshd starts up and reports that his client is too old, and disconnects him.

I just want to make sure that this is normal behavior.  It's a little frightening to see sshd display its debug information as if it crashed and restarted...

I've read F-Secure SSH 1.3.11-2 and later are not vulnerable to CAN-2001-0144, but I'm running 1.3.11...
If I am vulnerable, any advice on how to remotely upgrade ssh on a bsdi box? :)
0
Comment
Question by:smisk
  • 2
  • 2
4 Comments
 
LVL 16

Accepted Solution

by:
The--Captain earned 100 total points
ID: 7084203
That vulnerability only affected ssh v1 protocol, right?  It looks to me like your server is doing the right thing (tm), and dropping anyone who tries to use the old protocol.

This does not look like a crash to me - just a dropped connection.

Cheers,
-Jon
0
 
LVL 1

Author Comment

by:smisk
ID: 7084218
Cool.  I stopped accepting SSH1 connections anyway.

Thanks,
Steve
0
 
LVL 1

Author Comment

by:smisk
ID: 7084222
All I wanted was a second opinion... :)
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7084359
Thanks!  Many folks disable the debug facility in syslog for just these reasons (and heavy log activity can slow things down).

Cheers,
-Jon
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question