Apr 23, 2012
tom

Unexplicated ssh connection from localhost through sshd to random localhost’s port

Question

I’ve tried to find out why I had some strange connections on my secure log file. Something like this :

Apr 23 11:35:43 li192-61 sshd[11651]: Did not receive identification string from 127.0.0.1
Apr 23 11:35:49 li192-61 sshd[11661]: Connection closed by UNKNOWN

I had many of these connections, each minute precisely. So I used the netstat command as netstat -ta --numeric-ports --program | grep 22 to get more info. I got this (I removed my own ssh connection) :

tcp        0      0 localhost:56145             localhost:22             TIME_WAIT   -

Next I tried to find which one is using this port, so I used lsof -i :22 and I got nothing except my own connection.

After I launched netstatcommand again, I got this :

tcp        0      0 localhost:45979             localhost:22             TIME_WAIT   -  

A new port is using as remote destination from localhost through port 22. It’s the same thing each minute.

I have no more ideas right now. So this my question :

Is there a way to get all process which are using ssh connection or get all process which are attempting to connect to a specific port (e.g: 45979) ?

Thank you for your time !

Asked by alexgindre

Answer

There is a post here which suggests that this type of thing results when you have 2 competing sshd processes trying to bind to the same port.

You might want to get a local console, and run service sshd stop and then check ps -ef | grep sshd for any rogue sshd servers that are not under the control of the service wrapper.

Answered by Tom H

Related posts:

  1. CYGWIN sshd “port 22: Connection refused”
  2. How to allow remote connections from non localhost clients with ssh remote port forwarding?
  3. SSH connection to localhost ssh_exchange_identification: Connection closed by remote host
  4. Port forwarding for localhost traffic over SSH to production machine database
  5. strange sshd log message every minute

Leave a comment