auth.log indicates error with JSchException?
I have a fairly minimal setup server, and it doesn't allow password authentication, only using keys. And it definitely doesn't have Java installed. Normally I don't pay any attention to the thousands of attempts a day of script kiddies to guess my passwords - I figure the time they waste on my system is time they're not wasting on systems that do allow password authentication. But I am seeing this message in /var/log/auth.log:
Dec 7 13:43:43 hostname sshd[7412]: Received disconnect from 189.203.240.57: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Is that mention of what looks like a Java exception coming from the attacker, or is that from something on my side?
It looks like openssh server passes through the last message from the client in its "Received disconnect" error message, so it appears that this is a zombie login attempt from a botnet that is authored in Java.
See this code example from openssh's packet.c
:
case SSH2_MSG_DISCONNECT:
if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
(r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
return r;
/* Ignore normal client exit notifications */
do_log2(ssh->state->server_side &&
reason == SSH2_DISCONNECT_BY_APPLICATION ?
SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
"Received disconnect from %s: %u: %.400s",
ssh_remote_ipaddr(ssh), reason, msg);
free(msg);
return SSH_ERR_DISCONNECTED;