SSHD : too many "Did not receive identification string from 192.168.1.1 port xxxxx" messages

shooters

Hi,

I'm using 2.4.4-RELEASE-p3 (arm64) on a SG-1100 . The system log is full of "Did not receive identification string from 192.168.1.1 port xxxxx" messages generated by SSHD.

I've got this message twice every 15 mins, and everytime on a different port number.

192.168.1.1 is my PfSense LAN interface.

If I disable SSH, no more message are logged as expected.

Any idea?

Many thanks :)

johnpoz

And what device is 192.168.1.1 on your network?

That port is going to be the source port... Here for example just hit pfsense from one of my linux boxes via just telnet to 22 so yeah its going to be wrong

Jul 14 08:27:26 	sshd 	13867 	Bad protocol version identification '\377\364\377\375\006' from 192.168.2.11 port 35776 

shooters

192.168.1.1 is my PfSense LAN interface.

johnpoz

So your saying pfsense is trying to ssh to itself?

Do you have any sort of port forwards setup for ssh? (22) are you running ssh on some other port other than 22?

shooters

Yes...it seems to be the case..

No NAT or port forwarding set for SSH , and port 22 is the only port used for this service.

Please note the 2 log messages when i activate SSH. Don't know if 0.0.0.0 is nominal.

Jul 14 16:15:14 sshd 95481 Did not receive identification string from 192.168.1.1 port 53464
Jul 14 16:15:13 sshd 95320 Did not receive identification string from 192.168.1.1 port 53462
Jul 14 16:00:16 sshd 4591 Did not receive identification string from 192.168.1.1 port 7581
Jul 14 16:00:15 sshd 4036 Did not receive identification string from 192.168.1.1 port 7579
Jul 14 15:48:27 sshd 4672 Server listening on 0.0.0.0 port 22.
Jul 14 15:48:27 sshd 4672 Server listening on :: port 22.

johnpoz

I can not think of anything being part of pfsense that would do such a thing.. Do you have an packages installed, any sort of 3rd party packages? Any sort of monitoring software or anything running on pfsense as agent.

You sure you don't have something else on your network running that could have that IP?

Check your cronjobs.. You can either install the cron package or view them from console with a cat of /etc/crontab

Do you have maybe load balancer stuff setup to test for service? The monitors list a generic tcp that could be checking for ssh?

shooters

@johnpoz said in SSHD : too many "Did not receive identification string from 192.168.1.1 port xxxxx" messages:

I can not think of anything being part of pfsense that would do such a thing.. Do you have an packages installed, any sort of 3rd party packages? Any sort of monitoring software or anything running on pfsense as agent.

Yes I have : acme,aws-wizard,iftop,ipsec-profile-wizard,Lightsquid,nmap, ntopng,openvpn-client-export, squid and zabbix-agent4
I think i'm going to disable them one by one until the log messages disappear.

You sure you don't have something else on your network running that could have that IP?

No, sorry.

Check your cronjobs.. You can either install the cron package or view them from console with a cat of /etc/crontab

**/etc/crontab - root's crontab for FreeBSD
1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a
1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh
1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update
/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
30 12 * * * root /usr/bin/nice -n20 /etc/rc.update_urltables
1 0 * * * root /usr/bin/nice -n20 /etc/rc.update_pkg_metadata
0 0 * * * root /usr/local/sbin/squid -k rotate -f /usr/local/etc/squid/squid.conf
15 0 * * * root /usr/local/pkg/swapstate_check.php
16 3 * * * root /usr/local/pkg/acme/acme_command.sh "renewall" | /usr/bin/logger -t ACME 2>&1
0 /2 * * * root /usr/local/bin/perl /usr/local/www/lightsquid/lightparser.pl today
15 0 * * * root /usr/local/bin/perl /usr/local/www/lightsquid/lightparser.pl yesterday

Do you have maybe load balancer stuff setup to test for service? The monitors list a generic tcp that could be checking for ssh?

No, sorry.

shooters

Bingo!

The messages are generated by ntop-ng !
When disabled, no more messages. I'll search how to tune this behaviour.

Thank you for your help and the time you spend for me:)

ibbetsion

@shooters running into the same problem. Were you able to hunt down a solution?