SSH exchange identification: Connection closed by remote host
07 Jan 2014
When trying to connect to a remote server, you may sometimes get:
This might indicate an ongoing brute force attack against your server (although there are several other reasons for that error message).
If you have other means to get a shell on your server, you can check if a brute force attack is happening by tailing /var/log/auth.log
In my case the IP 18.104.22.168 tried to crack my root user’s password by brute force, which of course wouldn’t have worked anyway as you should never permit root login over SSH.
We have mostly Debian or Ubuntu servers in production, and we usually install the package denyhosts, which can stop this kind of attack by automatically adding the offender’s IP address to /etc/hosts.deny.
Somehow that was forgotten during setup . . .
A simple sudo apt-get install denyhosts stopped the attack, and I no longer get SSH exchange identification: Connection closed by remote host when trying to connect.