Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Prodess sshd - error: Fssh_kex_exchange_identification: Connection closed by remote host

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Something is trying to connect to ssh and failing the key exchange. Those logs would usually also have the IP that is trying to connect.

      If it's happening continually check the state table inn Diag > States. Filter by :22 assuming your SSH is still running on port 22.

      Steve

      E 1 Reply Last reply Reply Quote 0
      • E
        ezoN @stephenw10
        last edited by

        Thanks for helping @stephenw10 .

        When looking at the states table, there seems to be several ssh sessions initiating from the interface ip, to a machine on the same network (see image below). This seems to be happening on several of my vlan networks, and all traffic initiating from the interface ip to a machine on the same vlan.

        pfS-localdomain-Diagnostics-States-States.png

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @ezoN
          last edited by johnpoz

          @ezoN you prob have discovery enabled in say ntop..

          disable.jpg

          Have not played with ntop in a long time.. I don't know if there is easy way to let it do discovery via just arp or ssdp, mdns and turn off ssh - which it does use..

          That for sure would explain what your seeing..

          here this is from like 2019

          https://www.reddit.com/r/PFSENSE/comments/b820jk/ntopng_package_making_random_ssh_connections_is/

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 1
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            I wouldn't expect outbound connections to create the sshd logs in pfSense though.

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @stephenw10
              last edited by

              @stephenw10 where did he post sshd logs? looks like just ssh error.. with a typo on that f in front.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Right but it's from the sshd server process not a client connecting out. I'm assuming those were in the pfSense system logs.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @stephenw10
                  last edited by

                  @stephenw10 sshd wouldn't make an outbound connection and clearly those are from outbound connections.

                  And looks like he is doing outbound nat.. But only thing that makes any sense to be doing that is ntop discovery..

                  @ezoN do you have ntop installed - turn off the discovery, do the connections stop.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    That's what I'm saying, the initial issue here was that things are connecting in generating the logs somehow. ntop is probably creating the outbound states but those things are unrelated. Probably!

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @stephenw10
                      last edited by

                      @stephenw10 not sure why he cut off the left of that screenshot so could see what interfaces being created on..

                      But also see the http ports - this traffic is for sure ntop.. Its its discovery nonsense... Why would you need/want your traffic monitor to do discovery? Other than I think it uses it to try and figure out what OS is sending traffic, etc.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • E
                        ezoN
                        last edited by

                        Thanks everyone for your help and insights.

                        It was definitely ntop. I've disabled it and the messages stopped.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.