huquad Posted October 23, 2023 Share Posted October 23, 2023 I'm seeing SSHD errors in my syslog every ~15 minutes as shown below. I'm especially concerned because these are coming from my pfsense box and I'd hate to think it has malware on it. What can I do to troubleshoot this and/or determine if it's malware or not? For reference, I do run a fair bit of extra network utilities, such as pfblocker, ntopng, darkstat, etc. Thank you for the help. One example from syslog. Exact IPs replaced. Sep 28 06:00:33 MyHostName sshd[11403]: Connection from 192.168.1.1 port 60505 on 192.168.1.2 port 22 rdomain "" Sep 28 06:00:33 MyHostName sshd[11403]: error: kex_exchange_identification: Connection closed by remote host Sep 28 06:00:33 MyHostName sshd[11403]: Connection closed by 192.168.1.1 port 60505 Sep 28 06:00:33 MyHostName sshd[11404]: Connection from 192.168.1.1 port 59414 on 192.168.1.2 port 22 rdomain "" Sep 28 06:00:33 MyHostName sshd[11404]: error: kex_exchange_identification: Connection closed by remote host Sep 28 06:00:33 MyHostName sshd[11404]: Connection closed by 192.168.1.1 port 59414 Quote Link to comment
huquad Posted October 23, 2023 Author Share Posted October 23, 2023 After some research, I stumbled upon this post: (https://serverfault.com/questions/1015547/what-causes-ssh-error-kex-exchange-identification-connection-closed-by-remote). The poster appears to have the same problem as I do, and one of the responders mentions ntopng network discovery (which I had turned on) caused this for them. Unless anyone else has feedback for me. I'm going to assume this is what the issue was. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.