# sshd: Did not receive identification string from UNKNOWN

## lazyleopard

Before a recent update (glibc-2.3.5-r3? openssh-4.2_p1-r1?) sshd would report the IP addresses of hosts that made half-hearted attempts to establish a connection thus:

```
Did not receive identification string from 1.2.3.4
```

where 1.2.3.4 is the offender's IP address. Since the update it has instead been reporting

```
Did not receive identification string from UNKNOWN
```

Anyone any ideas where the IP address has gone?

----------

## julot

It could be a bad generated tcp/ip packet, so that could be a reason from the lack of ip header, or a IPV6 packet, or even another type of packet (UDP, PPPoE, PPPTP, Tunnel).

See 2.0 and 1.4

 *Quote:*   

> 
> 
> 2.7. The lack of unique identifiers 
> 
>  When the Internet was still young, back in the 1980's, one could use an IP address to safely identify and locate a host. Addresses were both spatially unique (no one else had an identical address) and temporally unique (addresses didn't change). However, this is no longer the case [RFC2101]. Today, IP addresses may exhibit seemly strange behavior that makes identifying and locating hosts much harder. The widespread use of protocols such as PPP/SLIP [RFC1990] and DHCP [RFC1541] allow a specific host's address to change over time: per-connection in the case of PPP/SLIP, while DHCP allows hosts to "lease" IP addresses for arbitrary lengths of time. On even larger time scales, details in the current Internet routing structure (i.e., Classless InterDomain Routing, "CIDR" [RFC1519]) may require that if a domain changes service providers, they will have to change their assigned range of IP addresses. Firewalls, proxy socket servers, and other "Network Address Translators" further complicate the use of IP addresses as identifiers, because they may translate addresses as traffic moves between the internal and external networks. Different hosts may appear to be using identical IP addresses, or different IP addresses may be the same host. Thus, IP addresses can no longer be used to uniquely identify a host, even over short time periods. Any security schemes which rely upon IP addresses remaining temporally or spatially unique may have vulnerabilities.
> ...

 

[url]

http://www.linuxsecurity.com/resource_files/documentation/tcpip-security.html

[/url]

Greetings

----------

## lazyleopard

I don't think that's the cause of this particular message, which I'm seeing even when local hosts with good connectivity are involved. It started happening after glibc-2.3.5-r3 and openssh-4.2_p2-r1 were installed. Unfortunately they both appeared in the same emerge so I'm not certain which one is responsible, but I suspect the glibc change is more likely the cause...

----------

