topic Re: sshd identification string within enclosures in Operating System - Linux

sshd identification string within enclosures

Fialia — Mon, 12 May 2008 08:05:01 GMT

I have a couple of blade enclosures with 8 HP Proliant blades in each. In each of the blades this shows up in the messages log:
sshd[xxxx]: Did not receive identification string from

So in every blade of the first enclosure its the IP address of the first blade in that enclosure that is logged, including in the first blade itself. In the second enclosure its the same, except its the IP address of the first blade of the 2nd enclosure that shows up.

They are all in the same subnet and none of the blades has a connection to the Internet. There is no problem logging in with ssh from one node to the other. The OS is SLES10, SP1. Actually this issue is not really a problem as such, it just generates a lot of logging. Is it supposed to be like that, or is there anything I can do that will stop the logging? (Aside from configuring syslog-ng to filter it out.)

Re: sshd identification string within enclosures

Goncalo Gomes — Mon, 12 May 2008 08:36:29 GMT

Have you setup any monitoring system like Nagios/ZenOSS on blade1? That message is usually generated when you happen to do, for example: telnet 22

Re: sshd identification string within enclosures

Zeev Schultz — Mon, 12 May 2008 10:03:45 GMT

It may happen if first blade of each enclosure tries to scan sshd on each blade. See here for example:

http://forums.spry.com/showthread.php?p=608

Now,I'm not saying that your blades go through ssh brute force scan but it could be some sort of management software (either HP or non-HP) that does this scanning to keep an eye on blades?

Basically to find out run a sniffer on one of your blades (i.e Ethereal or tcpdump) and watch for traffic on port 22 (default sshd). Once you discover the port on the remote server(your first blade in enclosure) that generates this traffic - go to first blade and find a process running on this port (with lsof).

Re: sshd identification string within enclosures

Fialia — Wed, 14 May 2008 08:07:25 GMT

OK, so this is basically generated by some kind of scanning software that is not let through?
There is scanning software on all of them that probably generates these messages. As far as I know the first blade should be no different than the others in that respect though. Is there anything in the blade/enclosure setup that singles out the first blade in this way?

Re: sshd identification string within enclosures

Mark Galata — Thu, 20 Nov 2008 12:18:38 GMT

Just because there is strength in numbers--I have the very same problem with our blade servers...