SSHD : too many "Did not receive identification string from 192.168.1.1 port xxxxx" messages



  • Hi,

    I'm using 2.4.4-RELEASE-p3 (arm64) on a SG-1100 . The system log is full of "Did not receive identification string from 192.168.1.1 port xxxxx" messages generated by SSHD.

    I've got this message twice every 15 mins, and everytime on a different port number.

    192.168.1.1 is my PfSense LAN interface.

    If I disable SSH, no more message are logged as expected.

    Any idea?

    Many thanks :)


  • LAYER 8 Global Moderator

    And what device is 192.168.1.1 on your network?

    That port is going to be the source port... Here for example just hit pfsense from one of my linux boxes via just telnet to 22 so yeah its going to be wrong

    Jul 14 08:27:26 	sshd 	13867 	Bad protocol version identification '\377\364\377\375\006' from 192.168.2.11 port 35776 
    


  • 192.168.1.1 is my PfSense LAN interface.


  • LAYER 8 Global Moderator

    So your saying pfsense is trying to ssh to itself?

    Do you have any sort of port forwards setup for ssh? (22) are you running ssh on some other port other than 22?



  • Yes...it seems to be the case..

    No NAT or port forwarding set for SSH , and port 22 is the only port used for this service.

    Please note the 2 log messages when i activate SSH. Don't know if 0.0.0.0 is nominal.

    Jul 14 16:15:14 sshd 95481 Did not receive identification string from 192.168.1.1 port 53464
    Jul 14 16:15:13 sshd 95320 Did not receive identification string from 192.168.1.1 port 53462
    Jul 14 16:00:16 sshd 4591 Did not receive identification string from 192.168.1.1 port 7581
    Jul 14 16:00:15 sshd 4036 Did not receive identification string from 192.168.1.1 port 7579
    Jul 14 15:48:27 sshd 4672 Server listening on 0.0.0.0 port 22.
    Jul 14 15:48:27 sshd 4672 Server listening on :: port 22.


  • LAYER 8 Global Moderator

    I can not think of anything being part of pfsense that would do such a thing.. Do you have an packages installed, any sort of 3rd party packages? Any sort of monitoring software or anything running on pfsense as agent.

    You sure you don't have something else on your network running that could have that IP?

    Check your cronjobs.. You can either install the cron package or view them from console with a cat of /etc/crontab

    Do you have maybe load balancer stuff setup to test for service? The monitors list a generic tcp that could be checking for ssh?



  • @johnpoz said in SSHD : too many "Did not receive identification string from 192.168.1.1 port xxxxx" messages:

    I can not think of anything being part of pfsense that would do such a thing.. Do you have an packages installed, any sort of 3rd party packages? Any sort of monitoring software or anything running on pfsense as agent.

    Yes I have : acme,aws-wizard,iftop,ipsec-profile-wizard,Lightsquid,nmap, ntopng,openvpn-client-export, squid and zabbix-agent4
    I think i'm going to disable them one by one until the log messages disappear.

    You sure you don't have something else on your network running that could have that IP?

    No, sorry.

    Check your cronjobs.. You can either install the cron package or view them from console with a cat of /etc/crontab

    **/etc/crontab - root's crontab for FreeBSD
    1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a
    1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh
    1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update
    /60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
    30 12 * * * root /usr/bin/nice -n20 /etc/rc.update_urltables
    1 0 * * * root /usr/bin/nice -n20 /etc/rc.update_pkg_metadata
    0 0 * * * root /usr/local/sbin/squid -k rotate -f /usr/local/etc/squid/squid.conf
    15 0 * * * root /usr/local/pkg/swapstate_check.php
    16 3 * * * root /usr/local/pkg/acme/acme_command.sh "renewall" | /usr/bin/logger -t ACME 2>&1
    0 /2 * * * root /usr/local/bin/perl /usr/local/www/lightsquid/lightparser.pl today
    15 0 * * * root /usr/local/bin/perl /usr/local/www/lightsquid/lightparser.pl yesterday

    Do you have maybe load balancer stuff setup to test for service? The monitors list a generic tcp that could be checking for ssh?

    No, sorry.



  • Bingo!

    The messages are generated by ntop-ng !
    When disabled, no more messages. I'll search how to tune this behaviour.

    Thank you for your help and the time you spend for me:)


Log in to reply