I have a Debian box that is sending out random ssh connections to my other linux box on my network, my whole network is being pat'd with the only port being forwarded into my network is 22 which goes to the redhat box that is not causing an issue. My RedHat box has DenyHosts installed and running to catch all the script kiddies out there that try and brute force their way in. Now my question is, is the Debian box just acting flaky cause I didn't configure something correctly since it has never seen the outside world or is in fact been hacked? It sends "Did not receive identification string from ::ffff:10.0.0.12" every five minutes exactly. One question I have on top of this though. I have OpenNMS installed on the Debian machine, is it probing to see if the ssh server is still running or should it still get this from SNMP?

It sends "Did not receive identification string from ::ffff:10.0.0.12" every five minutes exactly. One question I have on top of this though. I have OpenNMS installed on the Debian machine, is it probing to see if the ssh server is still running or should it still get this from SNMP?
Looks like a good explanation, and I know I've seen similar with other tools like Nagios and Monit. Corellating timings between the NMS probe and the log entry should prove it.


or is in fact been hacked?
I strongly doubt that is the case (and even then *I* am not responsable for the box but you, so it's your call), but just in case you want to make certain the box is not cracked, start here:
Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html
LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261

Thanks for your reply, I'll check into those.