You are not logged in.

Pages: 1

#1 2023-03-04 09:10:20

snekmuffin
Member
Registered: 2023-03-04
Posts: 3

[SOLVED] Some process keeps trying to connect over ssh to something

Hey hey, I was reading my system logs the other night and noticed that it was stock full of ssh authentication errors to random IPs. And for the life of me, I cannot figure out which process is causing that. Would appreciate any tips on how I could pinpoint it  o7

journalctl -eu sshd | tail -n 50 output:
I censored the actual IP addresses just in case, but I can post the unedited version if needs be.

Mar 04 16:01:35 hostname sshd[77323]: Connection closed by (an IP address) port 49802
Mar 04 16:02:43 hostname sshd[77320]: fatal: Timeout before authentication for (an IP address) port 38882
Mar 04 16:15:49 hostname sshd[78287]: error: kex_exchange_identification: read: Connection reset by peer
Mar 04 16:15:49 hostname sshd[78287]: Connection reset by (an IP address) port 56984
Mar 04 16:16:53 hostname sshd[78289]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:16:53 hostname sshd[78289]: Connection closed by (an IP address) port 42222
Mar 04 16:19:18 hostname sshd[78367]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:19:18 hostname sshd[78367]: Connection closed by (an IP address) port 48642
Mar 04 16:19:31 hostname sshd[78369]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:19:31 hostname sshd[78369]: Connection closed by (an IP address) port 48862
Mar 04 16:19:44 hostname sshd[78372]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:19:44 hostname sshd[78372]: Connection closed by (an IP address) port 49057
Mar 04 16:19:57 hostname sshd[78375]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:19:57 hostname sshd[78375]: Connection closed by (an IP address) port 49275
Mar 04 16:20:10 hostname sshd[78378]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:20:10 hostname sshd[78378]: Connection closed by (an IP address) port 49506
Mar 04 16:20:24 hostname sshd[78381]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:20:24 hostname sshd[78381]: Connection closed by (an IP address) port 49717
Mar 04 16:20:37 hostname sshd[78387]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:20:37 hostname sshd[78387]: Connection closed by (an IP address) port 49920
Mar 04 16:20:51 hostname sshd[78389]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:20:51 hostname sshd[78389]: Connection closed by (an IP address) port 37718
Mar 04 16:21:03 hostname sshd[78393]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:21:03 hostname sshd[78393]: Connection closed by (an IP address) port 37916
Mar 04 16:21:17 hostname sshd[78395]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:21:17 hostname sshd[78395]: Connection closed by (an IP address) port 38120
Mar 04 16:21:30 hostname sshd[78399]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:21:30 hostname sshd[78399]: Connection closed by (an IP address) port 38346
Mar 04 16:21:43 hostname sshd[78402]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:21:43 hostname sshd[78402]: Connection closed by (an IP address) port 38550
Mar 04 16:21:56 hostname sshd[78404]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:21:56 hostname sshd[78404]: Connection closed by (an IP address) port 38755
Mar 04 16:22:09 hostname sshd[78407]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:22:09 hostname sshd[78407]: Connection closed by (an IP address) port 38961
Mar 04 16:22:22 hostname sshd[78409]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:22:22 hostname sshd[78409]: Connection closed by (an IP address) port 39166
Mar 04 16:22:24 hostname sshd[78398]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:22:24 hostname sshd[78398]: Connection closed by (an IP address) port 48770
Mar 04 16:22:35 hostname sshd[78412]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:22:35 hostname sshd[78412]: Connection closed by (an IP address) port 39367
Mar 04 16:22:48 hostname sshd[78416]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:22:48 hostname sshd[78416]: Connection closed by (an IP address) port 39591
Mar 04 16:24:49 hostname sshd[78418]: fatal: Timeout before authentication for (an IP address) port 39799
Mar 04 16:28:18 hostname sshd[78822]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:28:18 hostname sshd[78822]: Connection closed by (an IP address) port 39771
Mar 04 16:39:18 hostname sshd[79841]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:39:18 hostname sshd[79841]: Connection closed by (an IP address) port 59133
Mar 04 16:41:48 hostname sshd[80819]: error: kex_exchange_identification: Connection closed by remote host
Mar 04 16:41:48 hostname sshd[80819]: Connection closed by (an IP address) port 38430
Mar 04 16:51:21 hostname sshd[81315]: fatal: Timeout before authentication for (an IP address) port 41348

pacman -Qe output: 

alacritty 0.11.0-2
amfora 1.9.2-4
arandr 0.1.11-1
aria2 1.36.0-1
armcord-bin 3.1.6-1
awesome-git 4.3.1588.gb54e50ad6-1
base 3-1
base-devel 1-1
bat 0.22.1-1
bc 1.07.1-4
betterlockscreen 4.0.4-2
bind 9.18.12-1
blueman 2.3.5-1
bluez 5.66-1
bluez-utils 5.66-1
btop 1.2.13-1
catppuccin-cursors-frappe 0.2.0-1
catppuccin-cursors-mocha 0.2.0-1
catppuccin-gtk-theme-frappe 0.4.1-1
clang 15.0.7-1
cmake 3.25.2-1
cozette-otb 1.19.1-1
cpupower 6.2-1
dialog 1:1.3_20230209-1
dosfstools 4.2-3
dunst 1.9.0-1
efibootmgr 18-1
exa 0.10.1-6
fd 8.7.0-1
feh 3.9.1-2
feishin-appimage 0.0.1_alpha5-1
filelight 22.12.3-1
flameshot 12.1.0-1
fortune-mod 3.14.1-2
fortune-mod-mechanicus 20200720-1
fzf 0.38.0-1
git 2.39.2-1
grub 2:2.06.r456.g65bc45963-1
imagemagick 7.1.0.62-1
intel-ucode 20230214-1
jisho 0.1.4-1
kalu 4.4.1-1
kdeconnect 22.12.3-1
libva-mesa-driver 22.3.6-1
libva-utils 2.17.1-1
linux-firmware 20230210.bf4115c-1
linux-lts 6.1.14-1
linux-lts-headers 6.1.14-1
linux-zen 6.2.2.zen1-1
linux-zen-headers 6.2.2.zen1-1
logrotate 3.21.0-2
lvm2 2.03.19-1
lxappearance 0.6.3-4
man-db 2.11.2-1
mesa-vdpau 22.3.6-1
mpv 1:0.35.1-2
mpv-mpris 0.9-1
mtools 1:4.0.42-1
navi 2.20.1-1
nemo 5.6.3-1
neovim 0.8.3-1
net-tools 2.10-2
netctl 1.28-2
networkmanager 1.42.2-1
newsboat 2.30.1-1
npm 8.19.2-1
nvtop 3.0.1-1
obs-studio 29.0.2-1
openssh 9.2p1-1
os-prober 1.81-1
pacman-contrib 1.8.2-1
pamixer 1.6-2
papirus-icon-theme 20230301-1
paru-bin 1.11.2-1
pavucontrol 1:5.0+r61+gee77d86-2
picom 10.2-1
pipewire-pulse 1:0.3.66-2
playerctl 2.4.1-3
polybar 3.6.3-3
python-pip 23.0.1-1
qbittorrent 4.5.2-1
qpwgraph 0.3.9-1
qt5ct 1.7-1
realtime-privileges 4-1
redshift 1.12-6
reflector 2021.11-5
rofi 1.7.5-1
rsync 3.2.7-3
rust 1:1.67.1-1
sddm 0.19.0-9
sl 5.05-4
sof-firmware 2.2.4-1
sshfs 3.7.3-1
sxhkd 0.6.2-2
thermald 2.5.2-1
ttf-droid 20121017-10
ttf-firacode-nerd 2.3.3-2
ttf-material-design-iconic-font 2.2.0-1
ttf-mplus-nerd 2.3.3-2
ttf-nerd-fonts-symbols-2048-em 2.3.3-1
ttf-pixeled 1.0-2
ttf-twemoji 14.0.2-2
ufw 0.36.1-1
ufw-extras 0.7.0-3
usbutils 015-2
vulkan-radeon 22.3.6-1
waterfox-g-bin 5.1.3-0
wget 1.21.3-1
wireguard-tools 1.0.20210914-1
wireless_tools 30.pre9-3
wtfutil-bin 0.43.0-1
xclip 0.13-3
xcolor 0.5.1-3
xdg-user-dirs 0.18-1
xf86-video-amdgpu 23.0.0-1
xidlehook 0.10.0-1
xorg-server 21.1.7-1
xorg-xinit 1.4.2-1
xorg-xwininfo 1.1.5-3
xprintidle 0.2.5-1
xsel 1.2.0.20200527-2
yt-dlp 2023.02.17-1
ytfzf 2.5.5-1
zip 3.0-10
zsh 5.9-3

The only thing I have used ssh myself for, on this install, was connecting to the OverTheWire Bandit server

Last edited by snekmuffin (2023-03-04 09:57:31)

Offline

#2 2023-03-04 09:40:51

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 25,255

Re: [SOLVED] Some process keeps trying to connect over ssh to something

You do not need to enable the sshd daemon to connect to systems yourself, if you do and your computer/sshd is exposed to the internet it's par for the course that random people/malware/bots will want to connect to it, somewhat of a small mitigation you can do is switch the ssh port which will reduce most automated script, what you actually should do is disable password login and only allow known keys, or if you do not actually need the ssh daemon you could just disable the related service.

Offline

#3 2023-03-04 09:44:50

seth
Member
From: Won't reply 2 private help req
Registered: 2012-09-03
Posts: 76,358

Re: [SOLVED] Some process keeps trying to connect over ssh to something

somewhat of a small mitigation you can do is switch the ssh port which…

…is insufficient if you want to expose ssh to ther interwebz.
https://wiki.archlinux.org/title/OpenSSH#Protection

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Offline

#4 2023-03-04 09:57:19

snekmuffin
Member
Registered: 2023-03-04
Posts: 3

Re: [SOLVED] Some process keeps trying to connect over ssh to something

V1del wrote:

You do not need to enable the sshd daemon to connect to systems yourself.

Ah, that is actually very useful, thank you. I don't think I ever intend to connect to this system, since I just use it as my desktop, so if I don't need it to still connect to other services, I'll just disable it.

Offline

Pages: 1

Board footer

Powered by FluxBB