Failed SSH connections on ports that are closed in the Firewall

I have a droplet running Debian 11. I use a Digital Ocean cloud firewall that allows incoming traffic on 80, 443 and a non-standard port for SSH, let’s say 20202. I’ve noticed that /var/log/auth.log contains pairs of lines like this:

sshd[214153]: error: kex_exchange_identification: banner line contains invalid characters
sshd[214156]: banner exchange: Connection from port 56694: invalid format

I interpret this to mean that this IP in Viet Nam connected to my droplet and communicated with sshd on port 56694, which is not the SSH port I use and which is not opened to incoming traffic on the firewall.

A stack overflow post explains this error as follows: “note that ssh reports this error when connecting to a webserver (https) by mistake instead of a sshd.”

However, there is no entry like this in the log if I attempt to SSH to the droplet on port 443. Though I do get a key exchange error on the client side:

$ ssh -p 443 me@[my droplet IP]
kex_exchange_identification: Connection closed by remote host
Connection closed by [my droplet IP] port 443

My question is this: How and why is my droplet reporting traffic to sshd on a port that is not opened in Digital Ocean’s firewall?

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Site Moderator
Site Moderator badge
May 2, 2023

Hey @mattd12d,

The port mentioned in the log (56694) is the source port from which the client ( is connecting to your server. It does not represent the destination port on your server where the SSH daemon (sshd) is listening.

The source port is usually a random high-numbered port assigned by the client’s operating system for each new outgoing connection. The destination port on your server is the one that should be restricted by the Digital Ocean firewall rules.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

card icon
Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Sign up
card icon
Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.

Learn more
card icon
Become a contributor

You get paid; we donate to tech nonprofits.

Learn more
Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine or ten thousand.

Learn more ->
DigitalOcean Cloud Control Panel