Security issue?

I recently received the following alert in my /var/auth.log

Jun  1 22:29:32 [system_name] sshd[12591]: error: connect_to localhost port 80: failed.

Is there a way this could be triggered without someone successfully authenticating to my server? I don't think I did anything to trigger this alert (by trying to connect to my web server which is not running) so I am concerned that the system has been compromised in some way…


3 Replies

Did you by any chance use your linode as a proxy over ssh (i.e. to browse the web over a secure connection) that could bring up the error.

Not that I know of, but maybe I clicked on something by accident. I have seen that error before in the situation that you describe. I was wondering if there was anything else that could cause it.

I'm pretty sure that needs to be an established session that then tried to forward a connection from the ssh client. One way this can happen accidentally is if you have some automatic forwarding set up in the client's ssh configuration (e.g., the same local ports are always mapped), and just happen to make a connection to the local port while connected. If it's too general in the configuration (not used with a limited host entry) it might even be forwarding you normally intend to use with a different target host.

One thing you can do is look earlier in your logs for the authentication step by the same sshd process id. It should at least let you know which user was used for that session.

– David


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct