Anton Lindstrom (about, @twitter, @github)

Pingdom and SSH

Published:

Some days ago I noticed a huge amount of errors in auth.log with identification strings. The error often occurs when the packets received by sshd are malformed and does not meet the usual format of the protocol. In my case this happened with a regular interval of about 5 minutes and was not spammed at the port. I decided to wait further and analyze the data.

Jan 23 06:10:57 qward sshd[15399]: Did not receive identification string from 83.170.113.102
Jan 23 06:15:57 qward sshd[3722]: Did not receive identification string from 95.211.87.85
Jan 23 06:20:58 qward sshd[25690]: Did not receive identification string from 207.218.231.170
Jan 23 06:25:57 qward sshd[13899]: Did not receive identification string from 207.97.207.200
Jan 23 06:31:01 qward sshd[3523]: Did not receive identification string from 67.192.120.134
Jan 23 06:35:58 qward sshd[24067]: Did not receive identification string from 78.136.27.223

I decided to block all the IP addresses that sent the data to the port. This became interesting, my phone began to buzz and I heard emails drop to my inbox. Pingdom sent me a notice that my SSH service was down on my server, at that point I got it. Pingdom sends pings to my port but of course it does not send SSH packets and that will result in an error in auth.log. The strange part was that it was not just one IP that sent this, it was about 15-20 addresses which made it seem like there were several servers sending attacks on the port.

If you find these errors and is using Pingdom to monitor the status of the SSH port, bare in mind that it might cause these errors in auth.log.