SSH connection originating from default gateway?

Frozenbyte

Today while reviewing the syslog on my Unraid Server, I noticed SSH errors for
"Kex_exchange_indentification: Connection closed by remote host"

I am trying to understand why the SSH connections appear to be originating from the default gateways of two of my networks?

jimp

That type of log entry is something you might see if there is a mechanism monitoring the port to see if it's open but not actually attempting to connect as a client. For example if you have something like haproxy setup with a TCP entry for SSH to that system and it is performing a health check.

For example, this does a simple TCP handshake test without sending or receiving data:

Host A:

$ nc -vz x.x.x.x 22
Connection to x.x.x.x 22 port [tcp/ssh] succeeded!

Host B:

Jan 23 11:39:30 target sshd[17392]: error: kex_exchange_identification: Connection closed by remote host
Jan 23 11:39:30 target sshd[17392]: Connection closed by x.x.x.y port 48544

It's also possible you have something inside doing that but it's hitting NAT reflection on the firewall so it appears to come from the firewall, but the real source is elsewhere inside your network.

Lastly, you might have configured outbound NAT on that interface masking the source of the traffic.