/var/log/secure file was getting these error messages when I was trying to create a script which monitors user activity and I was thinking to use /var/log/secure to start a script if the file changes as it logs all user login and logouts but the file was frequently changing because of the error message:
Apr 8 15:15:13 host185 sshd[14804]: Connection closed by UNKNOWN
Apr 8 15:15:13 host185 sshd[14804]: Connection closed by UNKNOWN
Then I did some research and found out that we can find who is initiating a ssh connection using the following command:
#lsof -i TCP:22 | grep LISTEN
sshd 3581 root 3u IPv6 11611 TCP *:ssh (LISTEN)
and then we see that sshd pid is 3581 and then we can use the following command to get the ip address of the ssh connection initiator:
#strace -f -e getpeername -p 3581
and in my case the connection closed by UNKNOWN is caused beacuse some process in localhost is trying to check the status of ssh causing the error.
Haven't done further research to stop it as it is not from external IP addresses.
It's probably caused by nagios checking on your localhost ssh.
ReplyDeleteIt seems to be a know bug...