When trying to connect to a remote server, you may sometimes get:

SSH exchange identification: Connection closed by remote host

This might indicate an ongoing brute force attack against your server (although there are several other reasons for that error message).

If you have other means to get a shell on your server, you can check if a brute force attack is happening by tailing /var/log/auth.log

tail -f /var/log/auth.log
Jan  7 00:57:57 hostname sshd[10654]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:57:57 hostname sshd[10655]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:57:58 hostname sshd[10656]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:57:59 hostname sshd[10657]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:57:59 hostname sshd[10639]: Failed password for root from 59.63.167.174 port 53081 ssh2
Jan  7 00:58:00 hostname sshd[10658]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:00 hostname sshd[10659]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:01 hostname sshd[10662]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:01 hostname sshd[10663]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:01 hostname sshd[10639]: Failed password for root from 59.63.167.174 port 53081 ssh2
Jan  7 00:58:01 hostname sshd[10639]: Disconnecting: Too many authentication failures for root [preauth]
Jan  7 00:58:01 hostname sshd[10639]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.63.167.174  user=root
Jan  7 00:58:01 hostname sshd[10639]: PAM service(sshd) ignoring max retries; 6 > 3
Jan  7 00:58:02 hostname sshd[10665]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:06 hostname sshd[10666]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:07 hostname sshd[10668]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:08 hostname sshd[10669]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:13 hostname sshd[10689]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:14 hostname sshd[10692]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:19 hostname sshd[10695]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:25 hostname sshd[10697]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:31 hostname sshd[10699]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:37 hostname sshd[10716]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:42 hostname sshd[10730]: refused connect from 59.63.167.174 (59.63.167.174)
Jan  7 00:58:48 hostname sshd[10732]: refused connect from 59.63.167.174 (59.63.167.174)

In my case the IP 59.63.167.174 tried to crack my root user’s password by brute force, which of course wouldn’t have worked anyway as you should never permit root login over SSH.

We have mostly Debian or Ubuntu servers in production, and we usually install the package denyhosts, which can stop this kind of attack by automatically adding the offender’s IP address to /etc/hosts.deny.

Somehow that was forgotten during setup . . .

A simple sudo apt-get install denyhosts stopped the attack, and I no longer get SSH exchange identification: Connection closed by remote host when trying to connect.