Context: newly installed Debian 12, I get a bunch of strange logs related to ssh:
root@square:~# journalctl -u ssh -f
May 07 11:13:00 yop-square sshd[766]: error: kex_exchange_identification: Connection closed by remote host
May 07 11:13:00 yop-square sshd[766]: Connection closed by 10.91.66.91 port 53714
May 07 11:13:00 yop-square sshd[767]: error: kex_exchange_identification: Connection closed by remote host
May 07 11:13:00 yop-square sshd[767]: Connection closed by 10.106.14.62 port 54236
May 07 11:13:00 yop-square sshd[768]: error: kex_exchange_identification: Connection closed by remote host
May 07 11:13:00 yop-square sshd[768]: Connection closed by 10.35.165.19 port 60748
May 07 11:13:06 yop-square sshd[771]: error: kex_exchange_identification: Connection closed by remote host
May 07 11:13:06 yop-square sshd[771]: Connection closed by 10.35.165.49 port 42286
May 07 11:13:06 yop-square sshd[772]: error: kex_exchange_identification: Connection closed by remote host
May 07 11:13:06 yop-square sshd[772]: Connection closed by 10.80.98.247 port 47780
This could be appliances doing scans (part of a corporate network) but the behaviour/log is strange. I took a tcpdump
and below is one of the exchanges leading to the logs above
No. Time Source Destination Protocol Length Info
1380 122.725892 10.81.98.206 10.237.76.90 TCP 74 60422 → 22 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM TSval=4018386585 TSecr=0 WS=128
1381 122.725908 10.237.76.90 10.81.98.206 TCP 74 22 → 60422 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=660439285 TSecr=4018386585 WS=128
1382 122.726397 10.81.98.206 10.237.76.90 TCP 66 60422 → 22 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=4018386586 TSecr=660439285
1383 122.726505 10.81.98.206 10.237.76.90 TCP 66 60422 → 22 [FIN, ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=4018386586 TSecr=660439285
1384 122.730066 10.237.76.90 10.81.98.206 TCP 66 22 → 60422 [ACK] Seq=1 Ack=2 Win=65280 Len=0 TSval=660439290 TSecr=4018386586
1385 122.738228 10.237.76.90 10.81.98.206 SSH 106 Server: Protocol (SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2)
1386 122.738603 10.237.76.90 10.81.98.206 TCP 66 22 → 60422 [FIN, ACK] Seq=41 Ack=2 Win=65280 Len=0 TSval=660439298 TSecr=4018386586
1387 122.738792 10.81.98.206 10.237.76.90 TCP 60 60422 → 22 [RST] Seq=2 Win=0 Len=0
1388 122.739140 10.81.98.206 10.237.76.90 TCP 60 60422 → 22 [RST] Seq=2 Win=0 Len=0
In this scenario 10.237.76.90
is me
(my Debian box) and 10.81.98.206
is them
. Please note that all the activity is authorized and whatnot - the point of my question is to understand the exchange and find out who is misbehaving (or, alternatively, that everything is fine and the exchnage/logs are what they are supposed to be)
1380
to1382
→they
initiate an SSH call and go though the handshake1383
→they
send aFIN,ACK
, why?. If they wanted to end the conversation, they should have sent aFIN
and wait for aFIN,ACK
, right?1384
→ I send anACK
, not sure why.
Anyway, things seem to go south from there
1385
→ my ssh presents its protocol, no idea why since the connection is terminated1386
→me
sends aFIN,ACK
, out of the blue1387
and1388
→they
send twoRST
, probably to tell me to get lost
I am still not sure who is making a mess in the connection but I sure would like to know because it is either an issue with my sshd
(which i seriously doubt), or the corporate scanning and so I will send a howler.