Re: sshd: invalid public DH value



These messages only started appearing in the latest botnet ssh weak
user/password fishing expedition. I don't think the messages are from
a legitimate client.

Yes, they could be due to corrupted packets from one of the bots on a
weak connection, but I would like to hear if anybody can think of
other possibilities.



On Mon, Dec 14, 2009 at 16:00, Aleksandr Yampolskiy
<ayampolskiy@xxxxxxxx> wrote:
Perhaps Diffie-Hellman key exchange algorithm fails due to packets being
corrupted?

----- Original Message -----
From: listbounce@xxxxxxxxxxxxxxxxx <listbounce@xxxxxxxxxxxxxxxxx>
To: secureshell@xxxxxxxxxxxxxxxxx <secureshell@xxxxxxxxxxxxxxxxx>
Sent: Mon Dec 14 14:16:31 2009
Subject: sshd: invalid public DH value

Has anybody seen these in their logs?

  Dec DD HH:MM:SS web sshd[1979]: invalid public DH value: <= 1
  Dec DD HH:MM:SS web sshd[1979]: Disconnecting: bad client public DH value

Any idea what they mean?  We get lots of ssh probes, most of which can
be ignored, but I've never seen this sshd message before.
Could somebody be probing for a buffer overflow?

We're running, "OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009", on Linux,
kernel 2.6.24-26.