Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
many preauth sshd disconnects-- what do they mean?
643 views
Skip to first unread message
William Unruh
Feb 9, 2017, 4:05:46 AM2/9/17
to
I am getting many many entries in my logs like the following
Feb 5 11:34:20 dilaton sshd[10795]: Received disconnect from 116.31.116.27: 11: [preauth]
Feb 5 11:34:33 dilaton sshd[10797]: Received disconnect from 112.85.42.123: 11: [preauth]
Feb 5 11:35:05 dilaton sshd[10800]: Received disconnect from 116.31.116.27: 11: [preauth]
Feb 5 11:35:16 dilaton sshd[10802]: Could not write ident string to 112.85.42.123
Feb 5 11:35:50 dilaton sshd[10804]: Received disconnect from 116.31.116.27: 11: [preauth]
Feb 5 11:35:52 dilaton sshd[10805]: Received disconnect from 112.85.42.123: 11: [preauth]
What does this string mean? It does not seem that a connection was ever
made, and I assume this is some sort of attack, but what?
Feb 5 11:34:20 dilaton sshd[10795]: Received disconnect from 116.31.116.27: 11: [preauth]
Feb 5 11:34:33 dilaton sshd[10797]: Received disconnect from 112.85.42.123: 11: [preauth]
Feb 5 11:35:05 dilaton sshd[10800]: Received disconnect from 116.31.116.27: 11: [preauth]
Feb 5 11:35:16 dilaton sshd[10802]: Could not write ident string to 112.85.42.123
Feb 5 11:35:50 dilaton sshd[10804]: Received disconnect from 116.31.116.27: 11: [preauth]
Feb 5 11:35:52 dilaton sshd[10805]: Received disconnect from 112.85.42.123: 11: [preauth]
What does this string mean? It does not seem that a connection was ever
made, and I assume this is some sort of attack, but what?
Bit Twister
Feb 9, 2017, 4:46:16 AM2/9/17
to
On Thu, 9 Feb 2017 09:03:56 -0000 (UTC), William Unruh wrote:
> I am getting many many entries in my logs like the following
> Feb 5 11:34:20 dilaton sshd[10795]: Received disconnect from 116.31.116.27: 11: [preauth]
> I am getting many many entries in my logs like the following
> Feb 5 11:34:20 dilaton sshd[10795]: Received disconnect from 116.31.116.27: 11: [preauth]
> What does this string mean? It does not seem that a connection was ever
> made, and I assume this is some sort of attack, but what?
>
Have you tried putting
> made, and I assume this is some sort of attack, but what?
>
11: [preauth]
in the second box at https://encrypted.google.com/advanced_search
William Unruh
Feb 9, 2017, 6:26:10 AM2/9/17
to
me much information unfortunately.
Doug Laidlaw
Feb 10, 2017, 8:33:45 AM2/10/17
to
William Unruh <un...@invalid.ca> Wrote in message:
http://unix.stackexchange.com/questions/102502/
meaning-of-connection-closed-by-xxx-preauth-in-sshd-logs
came up on my search. Google may have shown you a different
selection.
Doug.
--
meaning-of-connection-closed-by-xxx-preauth-in-sshd-logs
came up on my search. Google may have shown you a different
selection.
Doug.
--
0 new messages