View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions kex_exchange_identification: Connection closed by remote host
Log in to Ask a Question

kex_exchange_identification: Connection closed by remote host

I of course have a Linode VPS server. I also have a small shared server on Pair.com used only for email on one domain.

I have a bash script that runs (via crontab) on Pair each night, as it has for well over a YEAR that truncates some logs and and then goes out to the Linode server to write a "completion message" to a text file.

The command in the script is simple:

ssh xxx@111.22.333.44 "echo "date +"%s" date "+%b %d %I:%M:%S" pair delete logs: delete-wwww-logs.sh" >> /home/xxx/msg/msg-file.txt"

This morning I saw that the message was not written. I check the error logs on Pair and saw:

kex_exchange_identification: Connection closed by remote host
Connection closed by 111.22.333.44 port 22

I researched and found that there are a zillion reasons this error message to be written.

I re-ran the Pair script again (via crontab) and it ran just fine, like it has each night.

I didn't see anything in the auth.log (which is huge… 7Mb and I don't know why!.

Can anyone give me an idea of what might have happened on the Linode server (Ubuntu 20.04 LTS) that would close the port? The Linode server gets ZERO traffic at 2 AM when this is run. I don't know the traffic on the shared Pair server where the script is run.

Thanks.

3 Replies

I have a bash script that runs (via crontab) on Pair each night, as it has for well over a YEAR that truncates some logs

This is why God invented logrotate… You should use this instead of inventing something new. Log files do not have to reside in /var/log for logrotate to be able to manage them (you tell logrotate where they live…as well as ownership/permissions/etc).

https://www.linode.com/docs/guides/use-logrotate-to-manage-log-files/

and then goes out to the Linode server to write a "completion message" to a text file.

Why don't you use logger to write these to syslog (where they belong)?

https://linuxhint.com/use-logger-command-linux/

Again, it's why God invented syslog…and the very easy-to-use cli program logger to provide access to it from shell scripts…even to syslog daemons on remote nodes (firewall configurations notwithstanding). No wonder your auth.log file is so "big"…

kex_exchange_identification: Connection closed by remote host
Connection closed by <redacted IP address> port 22

The most common reason for this is an interruption of communication between ssh (your cron job) and sshd (the ssh server). Coulda been cosmic rays…or hurricanes…**it happens…

I didn't see anything in the auth.log (which is huge… 7Mb and I don't know why!.

7Mb is not that big…esp if you have a lot of auth events (ssh logins are not the only things that cause auth events…every use of sudo…including those used in cron jobs…causes multiple auth events). Rotate your auth.log more often. More often than not, the installed-default log rotation specifications (in /etc/logrotate.d) on a Linux distro (depends on the distro) are inadequate for a production system. See above and:

https://www.linuxshelltips.com/rotate-logs-with-logrotate-linux/

It's easy to do…

Alternatively, change your default sshd LogLevel from INFO to something less verbose (from the sshd_config(5) man page):

LogLevel
 
Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended.

-- sw

Thanks for the tips. Logrotate is working OK:

7400819 Sep 30 11:09 auth.log
8919412 Sep 25 00:00 auth.log.1
763195 Sep 18 00:00 auth.log.2.gz
707362 Sep 11 00:00 auth.log.3.gz
779694 Sep 4 00:00 auth.log.4.gz

I don't know why the most recent two are larger than the others. Maybe I'm being attacked by SSH bots for these days? I believe that each attack is logged to /var/log/auth.log .

I don't know why the btmp files are so huge unless I'm constantly under attack.

43616256 Sep 30 11:08 btmp
40076544 Aug 31 23:56 btmp.1

Why don't you use logger to write these to syslog (where they belong)?

I have a complex set of bash scripts to backup my domains, scripts, dump my EspoCRM databases etc. All this stuff is sent to a 3rd party server for backup (https://rsync.net). Error or completion messages are sent to a text file which is sent to me each night via the "ssmtp" program to view in the morning… like this output:

Sent on Fri Sep 30 04:31:01 PDT 2022 by send-msg.sh 

 Date/time sort 
     1 --   Sep 30 00:05:01 crontab backup mars
     2 --   Sep 30 00:16:01 crontab backup root saturn
     3 --   Sep 30 01:02:01 espo cron2 www-data
     4 --   Sep 30 01:05:03 espo db backup: espo-db-backup.sh
     5 --   Sep 30 01:30:05 address sent to rsync site: addressbookbackup.sh
     6 --   Sep 30 01:35:02 jane address backup: jane-backup.sh
     7 --   Sep 30 01:40:02 scripts backup: anc1-script-zip.sh
     8 --   Sep 30 01:50:01 espo bak NOT DONE: espo-bak-db.sh
     9 --   Sep 30 02:02:01 truncate logs root_mars mars-truncate-logs-sh
    10 --   Sep 30 02:06:01 truncate web logs (Sat_root): saturn-truncate-logs.sh
    11 --   Sep 30 03:45:03 espo version NOT-FOUND Sat: espo-version.sh

 Alpha sort 
     1 --   Sep 30 01:30:05 address sent to rsync site: addressbookbackup.sh
     2 --   Sep 30 00:05:01 crontab backup mars
     3 --   Sep 30 00:16:01 crontab backup root saturn
     4 --   Sep 30 01:50:01 espo bak NOT DONE: espo-bak-db.sh
     5 --   Sep 30 01:02:01 espo cron2 www-data
     6 --   Sep 30 01:05:03 espo db backup: espo-db-backup.sh
     7 --   Sep 30 03:45:03 espo version NOT-FOUND Sat: espo-version.sh
     8 --   Sep 30 01:35:02 jane address backup: jane-backup.sh
     9 --   Sep 30 01:40:02 scripts backup: anc1-script-zip.sh
    10 --   Sep 30 02:02:01 truncate logs root_mars mars-truncate-logs-sh
    11 --   Sep 30 02:06:01 truncate web logs (Sat_root): saturn-truncate-logs.sh

Errors:  

No errors found

-end-

The above shows me what the job is (does) and the script that ran it. These are just my daily jobs. I backup websites twice a month and my Piwigo picture gallery monthly and those would show here when run as well.

(I also pay for the Linode Backup service since it is only $10 USD… although I have no idea how I'd actually use it if needed… but I'm sure there is Linode Guide out there.)

I'm sure there are large backup packages that would do all this stuff for me but having been a programmer for 45 years (stated in WATFOR Fortran in 1972) I have the skill-set to write these 20+ bash scripts myself to "do" what works best for ME! (Also, it was fun!)

You missed my point completely…

(started in WATFOR Fortran in 1972)

I started with this in 1971 (WATFOR stood for "Waterloo FORTRAN"…after the University of Waterloo in Ontario, Canada…where it was invented). They had WATBOL too…

My first experience was in 1970 with IBM FORTRAN IV (in high school).

-- sw

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct