Ssh_exchange_identification: Connection closed by remote host

debianssh

OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 178.xxx.xxx.xxx [178.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/orangetux/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/orangetux/.ssh/id_rsa-cert type -1
debug1: identity file /home/orangetux/.ssh/id_dsa type -1
debug1: identity file /home/orangetux/.ssh/id_dsa-cert type -1
debug1: identity file /home/orangetux/.ssh/id_ecdsa type -1
debug1: identity file /home/orangetux/.ssh/id_ecdsa-cert type -1
ssh_exchange_identification: Connection closed by remote host

Via an admin panel I can access the logs and I see:

Mar  8 20:32:10 vmi11458 sshd[2334]: Set /proc/self/oom_adj to 0
Mar  8 20:32:10 vmi11458 sshd[2334]: refused connect from 82.xxx.xxx.xxx (82.xxx.xxx.xxx)

I've stopped the DenyHosts service. But I still cannot log in.
How can I solve this?

Best Answer

By stopping the denyhosts service, you prevent new entries from being created in /etc/hosts.deny, but entries that are already there remain. You will need manually remove the IP from the hosts.deny folder. To prevent the IP from being added again, you need to whitelist it in the allowed-hosts file.

Troubleshooting `sshd`

What I find generally very useful in any such cases is to start sshd without letting it daemonize. The problem in my case was that neither syslog nor auth.log showed anything meaningful.

When I started it from the terminal I got:

# $(which sshd) -Ddp 10222
/etc/ssh/sshd_config line 8: address family must be specified before ListenAddress.

Much better! This error message allowed me to see what's wrong and fix it. Neither of the log files contained this output.

NB: at least on Ubuntu the $(which sshd) is the best method to satisfy sshd requirement of an absolute path. Otherwise you'll get the following error: sshd re-exec requires execution with an absolute path. The -p 10222 makes sshd listen on that alternative port, overriding the configuration file - this is so that it doesn't clash with potentially running sshd instances. Make sure to choose a free port here.

Finally: connect to the alternative port (ssh -p 10222 user@server).

This method has helped me many many times in finding issues, be it authentication issues or other types. To get really verbose output to stdout, use $(which sshd) -Ddddp 10222 (note the added dd to increase verbosity). For more debugging goodness check man sshd.

The main advantage of this method is that it allows you to check the sshd configuration without having to restart the sshd on the default port. Normally this should not interfere with existing SSH-connections, but I've seen it. So this allows one to validate the configuration file prior to - potentially - cutting off ones access to a remote server (for example I have that for some VPS and even for physical servers where I need to pay extra to get out-of-band access to the machine).

Ssh – Intermittent ‘ssh_exchange_identification: Connection closed by remote host’ error

Possibly, the issue seems to occur if it happens to have more number of incoming requests.

Once the number of unauthenticated connections goes over the sshd:MaxStartUps parameter, sshd starts rejecting those connections.

So preferably increase the MaxStartups in sshd_config

HTH!

Best Answer

Related Solutions

SSH Error – ssh_exchange_identification: Connection Closed by Remote Host

Troubleshooting sshd

Ssh – Intermittent ‘ssh_exchange_identification: Connection closed by remote host’ error

Related Question

Troubleshooting `sshd`