Prodess sshd - error: Fssh_kex_exchange_identification: Connection closed by remote host
-
Hi, I'm hoping that someone can help with the above message.
I am running a Netgate 6100 on pfSense version 23.05. I noticed these errors under the General tab of System settings. I am getting these errors for each of my interface IP's.
Port 22 is not open to the outside, so I'm not sure what is going on here.
-
Something is trying to connect to ssh and failing the key exchange. Those logs would usually also have the IP that is trying to connect.
If it's happening continually check the state table inn Diag > States. Filter by
:22assuming your SSH is still running on port 22.Steve
-
Thanks for helping @stephenw10 .
When looking at the states table, there seems to be several ssh sessions initiating from the interface ip, to a machine on the same network (see image below). This seems to be happening on several of my vlan networks, and all traffic initiating from the interface ip to a machine on the same vlan.
-
@ezoN you prob have discovery enabled in say ntop..
Have not played with ntop in a long time.. I don't know if there is easy way to let it do discovery via just arp or ssdp, mdns and turn off ssh - which it does use..
That for sure would explain what your seeing..
here this is from like 2019
https://www.reddit.com/r/PFSENSE/comments/b820jk/ntopng_package_making_random_ssh_connections_is/
-
I wouldn't expect outbound connections to create the sshd logs in pfSense though.
-
@stephenw10 where did he post sshd logs? looks like just ssh error.. with a typo on that f in front.
-
Right but it's from the sshd server process not a client connecting out. I'm assuming those were in the pfSense system logs.
-
@stephenw10 sshd wouldn't make an outbound connection and clearly those are from outbound connections.
And looks like he is doing outbound nat.. But only thing that makes any sense to be doing that is ntop discovery..
@ezoN do you have ntop installed - turn off the discovery, do the connections stop.
-
That's what I'm saying, the initial issue here was that things are connecting in generating the logs somehow. ntop is probably creating the outbound states but those things are unrelated. Probably!
-
@stephenw10 not sure why he cut off the left of that screenshot so could see what interfaces being created on..
But also see the http ports - this traffic is for sure ntop.. Its its discovery nonsense... Why would you need/want your traffic monitor to do discovery? Other than I think it uses it to try and figure out what OS is sending traffic, etc.
-
Thanks everyone for your help and insights.
It was definitely ntop. I've disabled it and the messages stopped.
