On Fri, Nov 04, 2005 at 11:18:59PM +1100, Darren Tucker wrote:
> [...] it looks like the ssh connection was being
> dropped immediately after establishment (such as would be expected if,
> eg, you are using tcpwrappers).

Damien's explanation of this as nmap-like half-open scanning is much
better than the one above (for one thing, a connection dropped by
tcpwrappers should have the entire 3way tcp handshake).

BTW I've decoded all of the first 2 packets: they're pretty vanilla TCP
syn/synack packets to/from port 22 with tcp options (MSS=1460 and "SACK
permitted"). Nothing of interest.

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

openssh-unix-dev mailing list