Monday, March 15, 2010

Strange "Connection closed by" in log files every minute

Recently I had been installing different types of software to help me track my server. Some days after doing this however, my server started reporting a strange message in the log files.

The following would show up in my logs with a different GUID and  timestamp of course on one minute intervals.
Mar 15 13:03:27 server 1 sshd[16979]: Connection closed by

To solve this mystery I began trying to think of the possibilities of what it could be. What had I just installed that would be doing this? My memory sucks and I couldn't remember, so I began looking through the web to see if anyone had any solutions. A coworker of mine suggested using a netstat command ("netstat -lep --tcp") to see what services were running and which ones were newly installed on my server. I went through and turned off the services one at a time until I found the culprit. Monit had been installed some days earlier but the configuration file had errored out producing the message above in my log. Stopping the service ("/sbin/service monit stop"), the error no longer appeared in the log file. With some fixing, I am sure the wrongs in the Monit config file could be made right, but for now I am just going to keep it off.

Hope this helps someone else with the same issue. Good luck.


fishface said...

Same issue, sshd, monit, your tips saved me a heap of time, thanks!

Yossi Shushan said...

Same issue here.

Thank you very much!