Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSHD : too many "Did not receive identification string from 192.168.1.1 port xxxxx" messages

    Scheduled Pinned Locked Moved General pfSense Questions
    sshd
    9 Posts 3 Posters 8.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shooters
      last edited by

      Hi,

      I'm using 2.4.4-RELEASE-p3 (arm64) on a SG-1100 . The system log is full of "Did not receive identification string from 192.168.1.1 port xxxxx" messages generated by SSHD.

      I've got this message twice every 15 mins, and everytime on a different port number.

      192.168.1.1 is my PfSense LAN interface.

      If I disable SSH, no more message are logged as expected.

      Any idea?

      Many thanks :)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        And what device is 192.168.1.1 on your network?

        That port is going to be the source port... Here for example just hit pfsense from one of my linux boxes via just telnet to 22 so yeah its going to be wrong

        Jul 14 08:27:26 	sshd 	13867 	Bad protocol version identification '\377\364\377\375\006' from 192.168.2.11 port 35776

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          shooters
          last edited by

          192.168.1.1 is my PfSense LAN interface.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So your saying pfsense is trying to ssh to itself?

            Do you have any sort of port forwards setup for ssh? (22) are you running ssh on some other port other than 22?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              shooters
              last edited by

              Yes...it seems to be the case..

              No NAT or port forwarding set for SSH , and port 22 is the only port used for this service.

              Please note the 2 log messages when i activate SSH. Don't know if 0.0.0.0 is nominal.

              Jul 14 16:15:14 sshd 95481 Did not receive identification string from 192.168.1.1 port 53464
              Jul 14 16:15:13 sshd 95320 Did not receive identification string from 192.168.1.1 port 53462
              Jul 14 16:00:16 sshd 4591 Did not receive identification string from 192.168.1.1 port 7581
              Jul 14 16:00:15 sshd 4036 Did not receive identification string from 192.168.1.1 port 7579
              Jul 14 15:48:27 sshd 4672 Server listening on 0.0.0.0 port 22.
              Jul 14 15:48:27 sshd 4672 Server listening on :: port 22.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                I can not think of anything being part of pfsense that would do such a thing.. Do you have an packages installed, any sort of 3rd party packages? Any sort of monitoring software or anything running on pfsense as agent.

                You sure you don't have something else on your network running that could have that IP?

                Check your cronjobs.. You can either install the cron package or view them from console with a cat of /etc/crontab

                Do you have maybe load balancer stuff setup to test for service? The monitors list a generic tcp that could be checking for ssh?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                S 1 Reply Last reply Reply Quote 1
                • S
                  shooters @johnpoz
                  last edited by

                  @johnpoz said in SSHD : too many "Did not receive identification string from 192.168.1.1 port xxxxx" messages:

                  I can not think of anything being part of pfsense that would do such a thing.. Do you have an packages installed, any sort of 3rd party packages? Any sort of monitoring software or anything running on pfsense as agent.

                  Yes I have : acme,aws-wizard,iftop,ipsec-profile-wizard,Lightsquid,nmap, ntopng,openvpn-client-export, squid and zabbix-agent4
                  I think i'm going to disable them one by one until the log messages disappear.

                  You sure you don't have something else on your network running that could have that IP?

                  No, sorry.

                  Check your cronjobs.. You can either install the cron package or view them from console with a cat of /etc/crontab

                  **/etc/crontab - root's crontab for FreeBSD
                  1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a
                  1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh
                  1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update
                  /60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
                  30 12 * * * root /usr/bin/nice -n20 /etc/rc.update_urltables
                  1 0 * * * root /usr/bin/nice -n20 /etc/rc.update_pkg_metadata
                  0 0 * * * root /usr/local/sbin/squid -k rotate -f /usr/local/etc/squid/squid.conf
                  15 0 * * * root /usr/local/pkg/swapstate_check.php
                  16 3 * * * root /usr/local/pkg/acme/acme_command.sh "renewall" | /usr/bin/logger -t ACME 2>&1
                  0 /2 * * * root /usr/local/bin/perl /usr/local/www/lightsquid/lightparser.pl today
                  15 0 * * * root /usr/local/bin/perl /usr/local/www/lightsquid/lightparser.pl yesterday

                  Do you have maybe load balancer stuff setup to test for service? The monitors list a generic tcp that could be checking for ssh?

                  No, sorry.

                  1 Reply Last reply Reply Quote 0
                  • S
                    shooters
                    last edited by

                    Bingo!

                    The messages are generated by ntop-ng !
                    When disabled, no more messages. I'll search how to tune this behaviour.

                    Thank you for your help and the time you spend for me:)

                    1 Reply Last reply Reply Quote 0
                    • gnitingG
                      gniting
                      last edited by

                      @shooters running into the same problem. Were you able to hunt down a solution?

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.