What does "sshd: error: connect_to ... failed" in auth.log mean?
You can reproduce this by setting up SSH dynamic port forwarding:
man ssh
:
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket
to listen to port on the local side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over the secure channel, and the
application protocol is then used to determine where to connect to from the remote machine. Cur‐
rently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only
root can forward privileged ports. Dynamic port forwardings can also be specified in the configu‐
ration file.
IPv6 addresses can be specified by enclosing the address in square brackets. Only the superuser
can forward privileged ports. By default, the local port is bound in accordance with the
GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a
specific address. The bind_address of “localhost” indicates that the listening port be bound for
local use only, while an empty address or ‘*’ indicates that the port should be available from all
interfaces.
Start a SOCKS proxy on localhost, port 2302:
$ ssh -v -ND 2302 user@host
To route HTTP traffic via this tunnel, in Firefox:
Edit -> Preferences -> Advanced -> Network tab -> Settings -> Manual Proxy Configuration -> SOCKS Host: localhost and Port: 2302
In order to make use of the SOCKS proxy with other traffic, you can use a socksifier program like tsocks
:
[I] net-proxy/tsocks
Available versions: 1.8_beta5-r3 ~1.8_beta5-r4 1.8_beta5-r5 ~1.8_beta5-r6 {tordns}
Installed versions: 1.8_beta5-r5(10:08:28 AM 06/15/2010)(-tordns)
Homepage: http://tsocks.sourceforge.net/
Description: Transparent SOCKS v4 proxying library
On my Gentoo, edit the /etc/socks/tsocks.conf
as belows:
# Otherwise we use the server
server = 127.0.0.1
server_port = 2302
Testing:
$ tsocks telnet 255.255.255.255 25
You'll see something like this in the /var/log/secure
on SSH server:
sshd[28491]: error: connect_to 255.255.255.255 port 25: failed.
The part I don't understand is who exactly is trying to connect to those addresses
To narrow down, take a look at the /var/log/secure
(auth.log
on your distro), and examine who has logged in before this:
sshd[26898]: pam_unix(sshd:session): session opened for user quanta
Setting a user's shell to /bin/false does not prevent ssh port forwarding.
http://random.cconn.info/2012/05/06/binfalse-sbinnologin-and-ssh/ http://www.semicomplete.com/articles/ssh-security/
So my guess is that the OP had a user login with weak or trivial password, "disabled" the account by setting shell to /bin/false or /bin/nologin, and it was exploited to send spam by ssh port forwarding.