I have a droplet running Debian 11. I use a Digital Ocean cloud firewall that allows incoming traffic on 80, 443 and a non-standard port for SSH, let’s say 20202. I’ve noticed that /var/log/auth.log contains pairs of lines like this:
sshd: error: kex_exchange_identification: banner line contains invalid characters sshd: banner exchange: Connection from 126.96.36.199 port 56694: invalid format
I interpret this to mean that this IP in Viet Nam connected to my droplet and communicated with sshd on port 56694, which is not the SSH port I use and which is not opened to incoming traffic on the firewall.
A stack overflow post explains this error as follows: “note that ssh reports this error when connecting to a webserver (https) by mistake instead of a sshd.”
However, there is no entry like this in the log if I attempt to SSH to the droplet on port 443. Though I do get a key exchange error on the client side:
$ ssh -p 443 me@[my droplet IP] kex_exchange_identification: Connection closed by remote host Connection closed by [my droplet IP] port 443
My question is this: How and why is my droplet reporting traffic to sshd on a port that is not opened in Digital Ocean’s firewall?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.