Nessus appears to be killing our sshd daemon on a sarge box. Both machines have all latest updates, the nessus host is running testing.
It is a fair distance away and seems to perhaps timeout and then dos the host which causes it to kill all incoming connections. Restarting sshd fixes the problem. I'm attempting to isolate which plugin is the culprit, the problem is that we only recently realised our external host box had been classified as a bad host by the firewall because of too many connection attempts so it has not been doing SSH attemps for a long time. This means it could be any one of a number of plugins. Is anyone else experiencing anything similar or can make more sense of these logs? Monitor Host: [EMAIL PROTECTED]:~/NessusManager$ dpkg -l | grep nessus ii libnessus2 2.2.7-1 Nessus shared libraries ii nessus 2.2.5-4 Remote network security auditor, the client ii nessus-plugins 2.2.7-1 Nessus plugins ii nessusd 2.2.5-4 Remote network security auditor, the server SSH after host has been scanned: jheenan wormhole ~ [16:13:42] $ ssh -v -v home OpenSSH_4.1p1 Debian-7ubuntu4.1, OpenSSL 0.9.7g 11 Apr 2005 debug1: Reading configuration data /home/jheenan/.ssh/config debug1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to home [192.168.119.16] port 22. debug1: Connection established. debug1: identity file /home/jheenan/.ssh/identity type -1 debug2: key_type_from_name: unknown key type '-----BEGIN' debug2: key_type_from_name: unknown key type 'Proc-Type:' debug2: key_type_from_name: unknown key type 'DEK-Info:' debug2: key_type_from_name: unknown key type '-----END' debug1: identity file /home/jheenan/.ssh/id_rsa type 1 debug1: identity file /home/jheenan/.ssh/id_dsa type -1 ssh_exchange_identification: Connection closed by remote host Syslog on the host just as the scan starts hitting it: Mar 31 06:53:05 localhost sshd[28902]: debug1: PAM: setting PAM_TTY to "/dev/pts/8" Mar 31 06:53:05 localhost sshd[28903]: debug1: Setting controlling tty using TIOCSCTTY. Mar 31 06:53:08 localhost sshd[28876]: debug1: Forked child 28906. Mar 31 06:53:08 localhost sshd[28906]: Connection from ::ffff:207.210.65.87 port 44025 Mar 31 06:53:16 localhost sshd[28876]: debug1: Forked child 28907. Mar 31 06:53:16 localhost sshd[28907]: Connection from ::ffff:207.210.65.87 port 44037 Mar 31 06:53:25 localhost sshd[28876]: debug1: Forked child 28908. Mar 31 06:53:25 localhost sshd[28908]: Connection from ::ffff:207.210.65.87 port 44049 Mar 31 06:53:27 localhost sshd[28876]: debug1: Forked child 28909. Mar 31 06:53:28 localhost sshd[28909]: Connection from ::ffff:207.210.65.87 port 54429 Mar 31 06:53:28 localhost sshd[28909]: debug1: Client protocol version 2.0; client software version check_ssh_1.27 Mar 31 06:53:28 localhost sshd[28909]: debug1: no match: check_ssh_1.27 Mar 31 06:53:28 localhost sshd[28909]: debug1: Enabling compatibility mode for protocol 2.0Mar 31 06:53:28 localhost sshd[28909]: debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4 Mar 31 06:53:28 localhost sshd[28909]: debug1: do_cleanup Mar 31 06:53:28 localhost sshd[28909]: debug1: PAM: cleanup Mar 31 06:53:34 localhost sshd[28876]: debug1: Forked child 28911. Mar 31 06:53:35 localhost sshd[28911]: Connection from ::ffff:207.210.65.87 port 44062 Mar 31 06:53:42 localhost sshd[28876]: debug1: Forked child 28912. Mar 31 06:53:42 localhost sshd[28912]: Connection from ::ffff:207.210.65.87 port 54449 Mar 31 06:53:43 localhost sshd[28912]: debug1: Client protocol version 2.0; client software version check_ssh_1.27 Mar 31 06:53:43 localhost sshd[28912]: debug1: no match: check_ssh_1.27 Mar 31 06:53:43 localhost sshd[28912]: debug1: Enabling compatibility mode for protocol 2.0Mar 31 06:53:43 localhost sshd[28912]: debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4 Mar 31 06:53:43 localhost sshd[28912]: debug1: do_cleanup Mar 31 06:53:43 localhost sshd[28912]: debug1: PAM: cleanup Mar 31 06:53:43 localhost sshd[28876]: debug1: Forked child 28914. Mar 31 06:53:43 localhost sshd[28914]: Connection from ::ffff:207.210.65.87 port 44074 Mar 31 06:53:52 localhost sshd[28876]: debug1: drop connection #10 Mar 31 06:55:02 localhost sshd[27278]: debug1: server_input_channel_open: ctype direct-tcpip rchan 2 win 131072 max 32768 Mar 31 06:55:02 localhost sshd[27278]: debug1: server_request_direct_tcpip: originator 127.0.0.1 port 48870, target localhost port 4949 Mar 31 06:55:02 localhost sshd[27278]: debug1: channel 2: new [direct-tcpip] Mar 31 06:55:02 localhost sshd[27278]: debug1: server_input_channel_open: confirm direct-tcpip Mar 31 06:55:02 localhost sshd[27278]: debug1: channel 2: connected Mar 31 06:55:03 localhost sshd[28876]: debug1: drop connection #10 Mar 31 06:55:08 localhost sshd[27278]: debug1: channel 2: free: direct-tcpip, nchannels 3 Mar 31 06:55:12 localhost sshd[28876]: debug1: drop connection #10 Mar 31 06:55:34 localhost sshd[28282]: fatal: Timeout before authentication for ::ffff:207.210.65.87 Mar 31 06:55:38 localhost sshd[28876]: debug1: drop connection #10 Thanks -- Joel Heenan _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
