Debugging “sshd: error: connect_to [IP] port 25: failed” in Linux auth.log: SSH Tunnel and Forwarding Issues


3 views

When you see entries like sshd[661]: error: connect_to 1.1.1.1 port 25: failed in your /var/log/auth.log, this indicates SSH is attempting to establish a connection that's not originating from your server's direct configuration. The key insight is that sshd handles both incoming SSH connections and outbound tunnel requests.

The most common scenario involves remote clients establishing reverse tunnels:

# Typical client command causing such logs
ssh -R 25:1.1.1.1:25 user@your.server.com

This creates a tunnel where connections to localhost:25 on your server get forwarded to 1.1.1.1:25 through the client's network. The error occurs when:

  1. The client's network blocks port 25 (common for residential ISPs)
  2. The target mail server rejects the connection
  3. DNS resolution fails for the target IP

To identify the source of these attempts:

# Find associated SSH sessions
grep "sshd$$661$$" /var/log/auth.log | grep -A 10 "session opened"

# Check active tunnels
ss -tnp | grep sshd

# Alternative with lsof
lsof -i -n | grep sshd | grep -E ":[0-9]+->"

For servers that shouldn't permit arbitrary tunnels:

# /etc/ssh/sshd_config
AllowTcpForwarding no
PermitTunnel no
AllowStreamLocalForwarding no

# For selective restrictions:
Match User restricted_user
   AllowTcpForwarding no

For detailed forensic analysis, consider adding these to sshd_config:

LogLevel VERBOSE
PrintMotd no
UseDNS yes

This provides more context in logs about connection sources and DNS resolution attempts.

The error message you're seeing in /var/log/auth.log indicates an SSH port forwarding attempt that failed:

Aug 10 09:10:16 hostname sshd[661]: error: connect_to 1.1.1.1 port 25: failed.

This occurs when a client establishes an SSH connection to your server and attempts to set up port forwarding to another host (in this case, 1.1.1.1 on port 25). Your SSH server (sshd) is acting as the intermediary in this connection attempt.

There are several possibilities:

  • Legitimate users might be attempting to tunnel SMTP traffic through your server
  • Misconfigured clients could be sending incorrect forwarding requests
  • Malicious actors may be probing your server as a potential relay for spam

SSH handles three types of port forwarding:

1. Local port forwarding (-L)
2. Remote port forwarding (-R)
3. Dynamic port forwarding (-D)

The error suggests a remote forwarding attempt where the client wants to forward connections from your server to another destination (1.1.1.1:25).

To identify the source of these attempts, check the surrounding log entries for the connecting IP:

grep "sshd$$661$$" /var/log/auth.log | grep -A 5 -B 5 "connect_to"

You'll typically see an Accepted publickey/password entry preceding the error, showing which user/IP initiated the connection.

To restrict port forwarding in sshd_config:

# Disable all port forwarding
AllowTcpForwarding no

# Or limit to specific users
Match User trusteduser
    AllowTcpForwarding yes

Alternatively, use firewall rules to block outbound SMTP connections from your SSH server:

iptables -A OUTPUT -p tcp --dport 25 -j DROP

Frequent connection attempts to port 25 (SMTP) suggest potential abuse:

  • Your server might be targeted as an open relay
  • Compromised user accounts could be forwarding spam
  • Brute force attempts might be testing for vulnerabilities

Consider implementing:

# Rate limiting in sshd_config
MaxAuthTries 3
LoginGraceTime 1m

# Fail2ban for SSH protection
[sshd]
enabled = true
maxretry = 3