ssh connection closed by UNKNOWN in /var/log/secure

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (all versions)
  • sshd SSH Server running

Issue

  • SSH "Connection closed by UNKNOWN" message after password prompt timeout

  • Many entries in /var/log/secure containing:

    Jan 8 04:35:41 hostname sshd[30765]: Connection closed by UNKNOWN
    Jan 8 04:36:41 hostname sshd[31018]: Connection closed by UNKNOWN
    Jan 8 04:37:40 hostname sshd[31063]: Connection closed by UNKNOWN
    Jan 8 04:38:40 hostname sshd[31115]: Connection closed by UNKNOWN
    Jan 8 04:39:40 hostname sshd[31165]: Connection closed by UNKNOWN
    Jan 8 04:40:41 hostname sshd[31399]: Connection closed by UNKNOWN

Resolution

Follow Diagnostic Steps in this article to determine source of connections, take action as appropriate.

In the case of password prompt timeouts, a patch has been applied in RHEL 6.7 and 7.1 which will attempt to resolve the host name of the remote host or client and log that hostname instead of the text "UNKNOWN".

Root Cause

This message can be caused by a process performing an ssh client connection to the sshd but not supplying a password.

This could be a user who lets the login screen timeout, or a piece of local or remote automated monitoring software simply checking the sshd is running by opening an ssh connection.

Diagnostic Steps

Find the PID of the sshd

# ss -lp | grep ssh  
0      128                         :::ssh                          :::*        users:(("sshd",1706,4))  
0      128                          *:ssh                           \*:\*        users:(("sshd",1706,3))

Perform a system call trace against the sshd to find the remote host logging in

# strace -f -e getpeername -p 1706

Here we see a remote host, so we know where connections are coming from

Process 1706 attached - interrupt to quit  
Process 23804 attached  
[pid 23804] getpeername(3, {sa\_family=AF\_INET, sin\_port=htons(36817), sin\_addr=inet_addr("**192.168.63.12**")}, [16]) = 0

If the connections are coming from localhost

Process 1706 attached - interrupt to quit  
Process 23838 attached  
[pid 23838] getpeername(3, {sa\_family=AF\_INET, sin\_port=htons(35954), sin\_addr=inet_addr("**127.0.0.1**")}, [16]) = 0

then we can investigate by finding the initiating PID

# ss -p | grep ssh  
ESTAB      0      0               127.0.0.1:36142            127.0.0.1:ssh      users:(("ssh",24369,3))  
ESTAB      0      0               127.0.0.1:ssh              127.0.0.1:36142    users:(("sshd",24370,3),("sshd",24371,3))

and tying that PID to a user and the command that user ran

# ps aux | grep 24369  
username 24369  0.0  0.0  57700  3428 pts/5    S+   12:34   0:00 ssh root@localhost

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments