4 SSH login failures

[stavros-k]

I've got the following alert on my nightly Scale TrueNAS-SCALE-21.08-MASTER-20210805-112923 test machine. the mentioned ip is my android phone, some the of alerts are when i'm home with my phone connected.
Some is at a time that i'm not home. No other device can get this ip, since its reserved.

Is this a bug? how i can dig more and see what's going on?

Code:

4 SSH login failures: Aug 5 00:05:26 truenas sshd[470393]: error: kex_exchange_identification: client sent invalid protocol identifier "GET / HTTP/1.1" Aug 5 00:05:26 truenas sshd[470393]: banner exchange: Connection from 10.10.10.80 port 37210: invalid format Aug 5 08:04:00 truenas sshd[1488987]: error: kex_exchange_identification: client sent invalid protocol identifier "GET / HTTP/1.1" Aug 5 08:04:00 truenas sshd[1488987]: banner exchange: Connection from 10.10.10.80 port 46310: invalid format

 

[mroptman]

Your Android device must have some SSH client and it is attempting to connect to your TrueNAS system. Would recommended reviewing the apps on the Android device and deleting any SSH client apps and then see if the issue persists.

 

[stavros-k]

Your Android device must have some SSH client and it is attempting to connect to your TrueNAS system. Would recommended reviewing the apps on the Android device and deleting any SSH client apps and then see if the issue persists.

At first that was I thought. I looked every app but didn't find anything neither I have downloaded any new apps for the past month at least.
Also there was "attempts" at times I was not at home, so my phone wouldn't be able to do that.

The first time I got the alert was just after an update, next day the same, 3rd day and until now, no alerts.


I'll keep an eye on it for few more days, see what happens..

 

[troonas]

At first that was I thought. I looked every app but didn't find anything neither I have downloaded any new apps for the past month at least.
Also there was "attempts" at times I was not at home, so my phone wouldn't be able to do that.

The first time I got the alert was just after an update, next day the same, 3rd day and until now, no alerts.


I'll keep an eye on it for few more days, see what happens..

Curious, did you ever figure this out? I had the exact same thing happen from my Android phone, and from the user it attempted to use, I can tell it was Termux that initiated the connection. I literally have no record of that though on my phone within Termux though, which is very strange.

 

[troonas]

Actually, come to think of it, I accidentally exposed my TrueNAS server on my local VLAN for a couple hours where it was broadcasting its SSH service via Avahi.

I just happened to discover that using an mDNS scanner app on my phone. Maybe when I clicked the entry in the UI, it silently attempted to open the address + port as if it were an HTTP server, which triggered the alert that showed up a few hours later. Not sure how the user field made it over into the logs (maybe SSH and HTTP define that the same way in their protocols?), but perhaps that's the backing Unix user for the entire phone and not just Termux.