sshd "connection closed" in log with no "connect" message

btw, my ssh server is set up to only accept keys; no passwords.

were you able to connect and login before? Any changes done recently ? do you have a firewall that might be resetting the connections?

I have no problem connecting at all.  That's the problem though, no one else should be able to connect because no one else has an account on that server and it only accepts keys and not passwords.  As a matter of fact, if they attempt to log in withouit a password, their IP address is added to iptables to -DROP.

I don't know who owns this 88.84.133.135 IP address.  I am wondering how I can get a "secure:Jul 20 11:11:24 DL140RH sshd[4822]: Connection closed by 88.84.133.135" when they should nevere be able to connect.

It could be that someone from that ip is trying to connect to your system but unable to login then connection is dropped / closed

That's what I normally see, but on this one, there is no connect or connect attempt message.

is this the only attempt? Any chance that it was not logged properly? Do you see logs for the same ip address?

I have never come across an instance where sshd didn't properly log an attempt to connect to the "secure" log.  I suppose that's possible.  I have searched all of the logs (even logs from before the last reboot) and this is the only instance of that IP address appearing anywhere.

This one's driving me nuts.  I'll raise the ante as high as I can.

Add this to iptables before any ssh denies (if they are restricted):

iptables -A <YOUR INPUT RULE> -p tcp -m tcp --dport 22 -j LOG

check:

ls -al /tmp
last -100
grep 88.84.133.135 /var/log/*

Run chkrootkit to be sure your machine is good:

http://www.chkrootkit.org/download/

If you are not restricting ssh via iptables, I would recommend doing so.  If you are not running iptables, I would recommend doing so.

I'm running sshdfilter which seems to be doing a nice job of blocking hack attempts.  Here's what my iptables looks like right now (the ACCEPT has been changed to protect the innocent).  As you can see, it's added 2 IP addresses to be dropped since the last reboot.  How would I add your suggestion to my current configuration or is it even necessary since I'm only accepting keys and a passphrase?  I'll run the rootkit check as you suggested.  I'm really doubting anything is up like that because this is a fairly new server (3 months since OS install?) and I have never accepted passwords only externally:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  where I work.com  anywhere            tcp dpt:ssh
ACCEPT     tcp  --  myinternal network       anywhere            tcp dpt:ssh
SSHD       tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain SSHD (1 references)
target     prot opt source               destination
DROP       tcp  --  58.196.29.31         anywhere            tcp dpt:ssh
DROP       tcp  --  202.103.190.97       anywhere            tcp dpt:ssh

I just think I'm going to have to write this one incident off as just an annomily and start logging everything as you suggest.  Thanks for the help.  I'll add LOG now.