Peculiar sshd messages in authlog: "Connection closed by {host}" repeats

Wed, 09 Aug 2006 17:01:51 -0700 

Hi:

I have an OpenBSD 3.8 host.

My authlog is filling up with strange messages:

> Aug  9 17:30:27 fw1 sshd[7006]: Connection closed by XX.XX.XX.XX
> Aug  9 17:31:31 fw1 sshd[21487]: Connection closed by XX.XX.XX.XX
> Aug  9 17:32:35 fw1 sshd[339]: Connection closed by XX.XX.XX.XX
> Aug  9 17:33:39 fw1 sshd[1993]: Connection closed by XX.XX.XX.XX
> Aug  9 17:34:39 fw1 sshd[1933]: Connection closed by XX.XX.XX.XX
> Aug  9 17:35:39 fw1 sshd[6756]: Connection closed by XX.XX.XX.XX
> Aug  9 17:36:41 fw1 sshd[26173]: Connection closed by XX.XX.XX.XX
> Aug  9 17:37:48 fw1 sshd[10252]: Connection closed by XX.XX.XX.XX
> Aug  9 17:38:53 fw1 sshd[25829]: Connection closed by XX.XX.XX.XX
> Aug  9 17:39:57 fw1 sshd[3588]: Connection closed by XX.XX.XX.XX
> Aug  9 17:41:02 fw1 sshd[1862]: Connection closed by XX.XX.XX.XX
> Aug  9 17:42:03 fw1 sshd[567]: Connection closed by XX.XX.XX.XX
> Aug  9 17:43:04 fw1 sshd[15959]: Connection closed by XX.XX.XX.XX
> Aug  9 17:44:05 fw1 sshd[24466]: Connection closed by XX.XX.XX.XX
> Aug  9 17:45:06 fw1 sshd[3522]: Connection closed by XX.XX.XX.XX
> Aug  9 17:46:10 fw1 sshd[10462]: Connection closed by XX.XX.XX.XX
> Aug  9 17:47:18 fw1 sshd[21288]: Connection closed by XX.XX.XX.XX
> Aug  9 17:48:24 fw1 sshd[21350]: Connection closed by XX.XX.XX.XX

The device at XX.XX.XX.XX is running an older OpenBSD. I can't be sure
which version, because it's a stripped-down install and I don't have
uname. (It's running off of a memory filesystem loaded from a compact
flash disk, so installing it is not currently an option -- if anybody
has another suggestion for checking the version of the install, make
yourself heard.)

This error message appears at approximately one minute intervals in
authlog on 'fw1', irrespective of whether I am logged into 'fw1' or not.

I should note that this message comes a few days after various devices
with public addresses were flooded with apparently scripted sshd hack
attempts from a variety of addresses. I don't know if it's connected, it
might be a red herring. Part of the reason I noticed these "Connection
closed" messages was because I was cleaning up overflowing logs in the
aftermath, so it might well have been happening before.

Any ideas what this might be?

-Stephen-

Reply via email to