Friday, 8 April 2011

sshd: Connection closed by UNKNOWN

/var/log/secure file was getting these error messages when I was trying to create a script which monitors user activity and I was thinking to use /var/log/secure to start a script if the file changes as it logs all user login and logouts but the file was frequently changing because of the error message:

Apr  8 15:15:13 host185 sshd[14804]: Connection closed by UNKNOWN

Then I did some research and found out that we can find who is initiating a ssh connection using the following command:

#lsof -i TCP:22 | grep LISTEN
sshd     3581   root    3u  IPv6  11611       TCP *:ssh (LISTEN)

and then we see that sshd pid is 3581 and then we can use the following  command to get the ip address of the ssh connection initiator: 

#strace -f -e getpeername -p 3581

and in my case the connection closed by UNKNOWN is caused beacuse some process in localhost is trying to check the status of ssh causing the error. 

Haven't done further research to stop it as it is not from external IP addresses.

1 comment:

  1. It's probably caused by nagios checking on your localhost ssh.

    It seems to be a know bug...