Re: sshd: invalid public DH value



I would guess that the "DH" refers to Diffie-Hellman. And if memory serves
me correctly, the Diffie-Hellman negotiation is one of the earliest stages
of connection negotiation.

So is it possible that these logs represent an attempt to connect on the
SSH daemon's port, from something that is NOT an SSH client? For instance,
what kind of log entry do you get if you try to telnet to the SSH port?

On Tue, 15 Dec 2009, J Jude wrote:

These messages only started appearing in the latest botnet ssh weak
user/password fishing expedition. I don't think the messages are from
a legitimate client.

Yes, they could be due to corrupted packets from one of the bots on a
weak connection, but I would like to hear if anybody can think of
other possibilities.



On Mon, Dec 14, 2009 at 16:00, Aleksandr Yampolskiy
<ayampolskiy@xxxxxxxx> wrote:
Perhaps Diffie-Hellman key exchange algorithm fails due to packets being
corrupted?

----- Original Message -----
From: listbounce@xxxxxxxxxxxxxxxxx <listbounce@xxxxxxxxxxxxxxxxx>
To: secureshell@xxxxxxxxxxxxxxxxx <secureshell@xxxxxxxxxxxxxxxxx>
Sent: Mon Dec 14 14:16:31 2009
Subject: sshd: invalid public DH value

Has anybody seen these in their logs?

  Dec DD HH:MM:SS web sshd[1979]: invalid public DH value: <= 1
  Dec DD HH:MM:SS web sshd[1979]: Disconnecting: bad client public DH value

Any idea what they mean?  We get lots of ssh probes, most of which can
be ignored, but I've never seen this sshd message before.
Could somebody be probing for a buffer overflow?

We're running, "OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009", on Linux,
kernel 2.6.24-26.




Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: ras@xxxxxxxxx
company e-mail: rsi@xxxxxxxxx
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com
street address: Rasmussen Software, Inc.
10240 SW Nimbus, Suite L9
Portland, OR 97223 USA

Relevant Pages

  • Re: SSH compiled with backdoor
    ... backdoor passwd into the ssh and wont show up in wtmp, ... ever he logs in as) invisible, so say u login with the username root and ... your use the global hidden passwd it will allow him on as root. ... the file that logs all the logins with time stamps and src ips is "dev/saux" ...
    (Incidents)
  • Re: OT: Safe to access SSH server from work?
    ... on any host and never been terribly worried about the state of the logs as ... login, and the only thing that such accounts can run is sftp. ... IP based ACLs within the ssh configuration to help ensure that internal ... only a miniscule incremental change to insist on a different port. ...
    (Debian-User)
  • RE: How to display IP of ssh user in message?
    ... How to display IP of ssh user in message? ... - Have a warning banner enabled at log in. ... do a lastb and it logs it by, ...
    (RedHat)
  • Re: how to react on ssh attacks?
    ... > to view the logs. ... The huge amount of ssh probes that have been going on for the last year or ... enforced routine password changes and password selection rules since the ...
    (Fedora)
  • Re: Help -- Have I been rooted?
    ... I only allowed ssh, httpd, and ftp port forwarding to my ... machine for the past few days while I used a store bought router. ... I checked the router logs and was greeted by pages of stuff like this: ...
    (comp.os.linux.security)