什么导致 SSH 错误：kex_exchange_identification: Connection closed by remote host？

Question

我在线设置了一个任何人都可以公开访问的 SSH 服务器。因此，我从世界各地的 IP 获得了很多连接。奇怪的是，实际上没有人尝试进行身份验证以打开会话。我可以自己连接和验证没有任何问题。

有时，我会error: kex_exchange_identification: Connection closed by remote host在服务器日志中获取 。是什么原因造成的？

这是 30 分钟的 SSH 日志（公共 IP 已被编辑）：

# journalctl SYSLOG_IDENTIFIER=sshd -S "03:30:00" -U "04:00:00"
-- Logs begin at Fri 2020-01-31 09:26:25 UTC, end at Mon 2020-04-20 08:01:15 UTC. --
Apr 20 03:39:48 myhostname sshd[18438]: Connection from x.x.x.207 port 39332 on 10.0.0.11 port 22 rdomain ""
Apr 20 03:39:48 myhostname sshd[18439]: Connection from x.x.x.207 port 39334 on 10.0.0.11 port 22 rdomain ""
Apr 20 03:39:48 myhostname sshd[18438]: Connection closed by x.x.x.207 port 39332 [preauth]
Apr 20 03:39:48 myhostname sshd[18439]: Connection closed by x.x.x.207 port 39334 [preauth]
Apr 20 03:59:36 myhostname sshd[22186]: Connection from x.x.x.83 port 34876 on 10.0.0.11 port 22 rdomain ""
Apr 20 03:59:36 myhostname sshd[22186]: error: kex_exchange_identification: Connection closed by remote host

这是我的 SSH 配置：

# ssh -V
OpenSSH_8.2p1, OpenSSL 1.1.1d  10 Sep 2019
# cat /etc/ssh/sshd_config 
UsePAM yes
AddressFamily any
Port 22
X11Forwarding no
PermitRootLogin prohibit-password
GatewayPorts no
PasswordAuthentication no
ChallengeResponseAuthentication no
PrintMotd no # handled by pam_motd
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
LogLevel VERBOSE
UseDNS no
AllowUsers root
AuthenticationMethods publickey
MaxStartups 3:100:60

在网上搜索后，我看到参考资料MaxStartups表明这可能是导致此错误的原因，但是在更改了我所示的默认值sshd_config并尝试了 3 个以上的连接后，服务器明确指出了问题

Apr 20 07:26:59 myhostname sshd[31468]: drop connection #3 from [x.x.x.226]:54986 on [10.0.0.11]:22 past MaxStartups

那么，是什么原因造成的error: kex_exchange_identification: Connection closed by remote host？

Answer 1

奇怪的是，实际上没有人尝试进行身份验证以打开会话。

一些蜘蛛和服务（如Shodan）会扫描公共 ipv4 地址以获取开放服务，例如 salt master、ftp 服务器、RDP 以及 SSH 服务。这些蜘蛛通常只连接到服务而不执行任何有效的身份验证步骤。

我收到错误：kex_exchange_identification服务器日志中的远程主机关闭了连接。是什么原因造成的？

我还没有找到关于那个的决定性答案，所以......是时候浏览源代码了。

OpenSSH中的源代码，kex_exchange_identification是交换服务器和客户端标识的函数（杜），和指定的错误发生，如果OpenSSH服务器和客户机之间的插座连接被中断（见EPIPE），即客户机已经关闭了其连接。

Answer 2

我刚刚遇到了这个确切的问题，原因是我在负载均衡器内部进行了端口转换，这意味着我的ssh连接是通过 port80而不是 port到达主机的22。

主机是否正确终止了连接，返回到我的终端的错误消息如下；

~/Documents/Projects$ ssh -vvvvA dave@xx.xx.xx.250
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/dave/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug2: resolve_canonicalize: hostname xx.xx.xx.250 is address
debug2: ssh_connect_direct
debug1: Connecting to xx.xx.xx.250 [xx.xx.xx.250] port 22.
debug1: Connection established.
debug1: identity file /Users/dave/.ssh/id_rsa type 0
debug1: identity file /Users/dave/.ssh/id_rsa-cert type -1
debug1: identity file /Users/dave/.ssh/id_dsa type -1
debug1: identity file /Users/dave/.ssh/id_dsa-cert type -1
debug1: identity file /Users/dave/.ssh/id_ecdsa type -1
debug1: identity file /Users/dave/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/dave/.ssh/id_ed25519 type -1
debug1: identity file /Users/dave/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/dave/.ssh/id_xmss type -1
debug1: identity file /Users/dave/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: kex_exchange_identification: banner line 0: HTTP/1.1 400 Bad Request
debug1: kex_exchange_identification: banner line 1: Server: nginx/1.14.0 (Ubuntu)
debug1: kex_exchange_identification: banner line 2: Date: Fri, 20 Nov 2020 09:30:23 GMT
debug1: kex_exchange_identification: banner line 3: Content-Type: text/html
debug1: kex_exchange_identification: banner line 4: Content-Length: 182
debug1: kex_exchange_identification: banner line 5: Connection: close
debug1: kex_exchange_identification: banner line 6:
debug1: kex_exchange_identification: banner line 7: <html>
debug1: kex_exchange_identification: banner line 8: <head><title>400 Bad Request</title></head>
debug1: kex_exchange_identification: banner line 9: <body bgcolor="white">
debug1: kex_exchange_identification: banner line 10: <center><h1>400 Bad Request</h1></center>
debug1: kex_exchange_identification: banner line 11: <hr><center>nginx/1.14.0 (Ubuntu)</center>
debug1: kex_exchange_identification: banner line 12: </body>
debug1: kex_exchange_identification: banner line 13: </html>
kex_exchange_identification: Connection closed by remote host

修复了内部端口转换，现在问题消失了。