Re: sshd: invalid public DH value

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I would guess that the "DH" refers to Diffie-Hellman. And if memory serves 
me correctly, the Diffie-Hellman negotiation is one of the earliest stages 
of connection negotiation.

So is it possible that these logs represent an attempt to connect on the 
SSH daemon's port, from something that is NOT an SSH client? For instance, 
what kind of log entry do you get if you try to telnet to the SSH port?

On Tue, 15 Dec 2009, J Jude wrote:

> These messages only started appearing in the latest botnet ssh weak
> user/password fishing expedition.  I don't think the messages are from
> a legitimate client.
> 
> Yes, they could be due to corrupted packets from one of the bots on a
> weak connection, but I would like to hear if anybody can think of
> other possibilities.
> 
> 
> 
> On Mon, Dec 14, 2009 at 16:00, Aleksandr Yampolskiy
> <ayampolskiy@xxxxxxxx> wrote:
> > Perhaps Diffie-Hellman key exchange algorithm fails due to packets being
> > corrupted?
> >
> > ----- Original Message -----
> > From: listbounce@xxxxxxxxxxxxxxxxx <listbounce@xxxxxxxxxxxxxxxxx>
> > To: secureshell@xxxxxxxxxxxxxxxxx <secureshell@xxxxxxxxxxxxxxxxx>
> > Sent: Mon Dec 14 14:16:31 2009
> > Subject: sshd: invalid public DH value
> >
> > Has anybody seen these in their logs?
> >
> >   Dec DD HH:MM:SS web sshd[1979]: invalid public DH value: <= 1
> >   Dec DD HH:MM:SS web sshd[1979]: Disconnecting: bad client public DH value
> >
> > Any idea what they mean?  We get lots of ssh probes, most of which can
> > be ignored, but I've never seen this sshd message before.
> > Could somebody be probing for a buffer overflow?
> >
> > We're running, "OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009", on Linux,
> > kernel 2.6.24-26.
> >
> 
> 

Regards,
....Bob Rasmussen,   President,   Rasmussen Software, Inc.

personal e-mail: ras@xxxxxxxxx
 company e-mail: rsi@xxxxxxxxx
          voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
            fax: (US) 503-624-0760
            web: http://www.anzio.com
 street address: Rasmussen Software, Inc.
                 10240 SW Nimbus, Suite L9
                 Portland, OR  97223  USA

[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux