ssh server: reasons for sudden "Connection closed by remote host"

Question

One of my ec2 servers has stopped receiving ssh connections. The OS is Ubuntu server 8.04, and the ssh server is the standard openssh-server.

After months of uptime, I tried to connet to it today, and got the following message:

ssh_exchange_identification: Connection closed by remote host

Any idea what could have went wrong?

Update: After a reboot, the server started receiving new connections. Disks are below 50% usage.

First thing to do when you see this: try again with ssh -vvv, and look carefully through the output (or post it all for someone else to analyse; your password won't appear, but IP addresses and user names will). — Gilles 'SO- stop being evil', Aug 25 '11 at 23:46

jasonwryan · Accepted Answer · 2011-08-25T18:57:09.883

14

Now that you once again have access, check the log to determine what, if any, clues there are as to why you were blocked.

tail -n300 /var/log/auth.log | grep ssh ¹

The other thing to remember is that, if it happens again, you can run ssh in verbose mode with the -vvv option, which will return more detailed diagnostic information. From man ssh:

-v Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity. The maximum is 3.

[1] You may need to increase/decrease the amount you tail by (-n) to identify the relevant entries.

edited Aug 25 '11 at 18:57

answered Aug 25 '11 at 18:39

jasonwryan

73,126

1

so I shouldn't include the footnote (^1) in my command? ;-) – Scott Skiles Apr 21 '20 at 20:43
So, what was the reason, I have same thing going on. – Szymon Roziewski Oct 17 '23 at 13:25

score 7 · Answer 2 · answered Nov 27 '12 at 22:28

7

This is a normal situation if multiple clients try to authenticate in the same time. This is configured by the MaxStartups option in /etc/ssh/sshd_config.

If MaxStartups=3, and 4 clients try to connect, the last client will display your message, it is rejected by the server because of too many authentications pending on the server side.

sshd behaves like this to prevent bruteforce attack.

answered Nov 27 '12 at 22:28

user368507

2,173

This might be my case, although I see no confirmation in the logs (nothing about my ip). – x-yuri Sep 29 '20 at 20:04

score 6 · Answer 3 · answered Aug 25 '11 at 08:25

6

It could be caused by time skew. Make sure that all machines are getting time from an internet time server.

answered Aug 25 '11 at 08:25

Šimon Tóth

8,238

score 5 · Answer 4 · answered Aug 25 '11 at 11:46

5

Are you using some sort of automatic blocking? I have denyhosts isntalled, which will block the IP address after several failed login attempts, and I have locked myself out like this a few times.

answered Aug 25 '11 at 11:46

Piskvor left the building

682

score 4 · Answer 5 · answered Aug 25 '11 at 07:23

4

Unlikely is a failed automatic package update.

Likely is a hardware failure, software failure (kernel resources leak), temporary routing failure, or hacking attempt gone awry.

I'm assuming a local managed user database for EC2.

answered Aug 25 '11 at 07:23

Steve-o

420

ssh server: reasons for sudden "Connection closed by remote host"

5 Answers5

Linked

Related