Re: sshd brake-in attempts

[Markus Friedl <markus () openbsd org>]

On Thu, Dec 20, 2001 at 11:18:31AM +0000, Emil Popov wrote:
> sshd[10858]: Connection from 211.218.166.200 port 2273
> sshd[10858]: Did not receive ident string from 211.218.166.200.
> sshd[12075]: Connection from 211.99.196.117 port 2520
> sshd[12075]: Did not receive ident string from 211.99.196.117.
> sshd[14033]: Connection from 212.46.97.60 port 4309
> sshd[14033]: Did not receive ident string from 212.46.97.60.

this is just a scan. try
        telnet localhost 22
        ^]

> And, there is no "Enabling compatibility mode for version 2" message
> which is generated whenever I log in, so those clients seem to be trying
> to login with protocol ver. 1.

No, these clients don't try any protocol version since they don't
send out what protocol they want to try, thus the
        Did not receive ident string
message.

ssh works like this:
        server -> client:       "SSH-protocol-software_version"
        client -> server:       "SSH-protocol-software_version"
        server <-> client:      binary packet based protocol

In your case the client just closes the connection.

> There is one more strange thing, that i started seeng roughly when
> the sshd fuss came out:
> sshd[25774]: Received disconnect: 11: All open channels closed
> Would someone explain what exactly this message means?

This is just a message from the client. Nothing special.

-m

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com