ssh connection closed by UNKNOWN in /var/log/secure
Environment
- Red Hat Enterprise Linux (all versions)
- sshd SSH Server running
Issue
- SSH "Connection closed by UNKNOWN" message after password prompt timeout
-
Many entries in
/var/log/securecontaining:Jan 8 04:35:41 hostname sshd[30765]: Connection closed by UNKNOWN
Jan 8 04:36:41 hostname sshd[31018]: Connection closed by UNKNOWN
Jan 8 04:37:40 hostname sshd[31063]: Connection closed by UNKNOWN
Jan 8 04:38:40 hostname sshd[31115]: Connection closed by UNKNOWN
Jan 8 04:39:40 hostname sshd[31165]: Connection closed by UNKNOWN
Jan 8 04:40:41 hostname sshd[31399]: Connection closed by UNKNOWN
Resolution
Follow Diagnostic Steps in this article to determine source of connections, take action as appropriate.
In the case of password prompt timeouts, a patch has been applied in RHEL 6.7 and 7.1 which will attempt to resolve the host name of the remote host or client and log that hostname instead of the text "UNKNOWN".
- RHEL 7.1 RHSA-2015:0425
- RHEL 6.7 RHBA-2015:1335
Root Cause
This message can be caused by a process performing an ssh client connection to the sshd but not supplying a password.
This could be a user who lets the login screen timeout, or a piece of local or remote automated monitoring software simply checking the sshd is running by opening an ssh connection.
Diagnostic Steps
Find the PID of the sshd
# ss -lp | grep ssh
0 128 :::ssh :::* users:(("sshd",1706,4))
0 128 *:ssh \*:\* users:(("sshd",1706,3))
Perform a system call trace against the sshd to find the remote host logging in
# strace -f -e getpeername -p 1706
Here we see a remote host, so we know where connections are coming from
Process 1706 attached - interrupt to quit
Process 23804 attached
[pid 23804] getpeername(3, {sa\_family=AF\_INET, sin\_port=htons(36817), sin\_addr=inet_addr("**192.168.63.12**")}, [16]) = 0
If the connections are coming from localhost
Process 1706 attached - interrupt to quit
Process 23838 attached
[pid 23838] getpeername(3, {sa\_family=AF\_INET, sin\_port=htons(35954), sin\_addr=inet_addr("**127.0.0.1**")}, [16]) = 0
then we can investigate by finding the initiating PID
# ss -p | grep ssh
ESTAB 0 0 127.0.0.1:36142 127.0.0.1:ssh users:(("ssh",24369,3))
ESTAB 0 0 127.0.0.1:ssh 127.0.0.1:36142 users:(("sshd",24370,3),("sshd",24371,3))
and tying that PID to a user and the command that user ran
# ps aux | grep 24369
username 24369 0.0 0.0 57700 3428 pts/5 S+ 12:34 0:00 ssh root@localhost
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
