Hòla,

Looking at my logs, I just noticed that SSHd was restarting in average once in a month. Is this considered normal behavior from SSHd?

It looks like it's not related to nothing in my crontabs. The hours and the day in the month are completely random.

Thanks!

What OS/version? Could you post a log snippet?

AFAIK, no, it is not normal behavior for sshd (at least I don't see any evidence of it on my FBSD 6.x / 7.0 boxes).

Thanks for your reply anomie.

I must confess this machine runs Linux Red Hat. It is running OpenSSH version: OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003

Here is the latest log snippet.
Apr 25 19:50:11 log02 sshd[3180]: Received signal 15; terminating.
Apr 27 11:28:04 log02 sshd[3155]: Server listening on :: port 22.
Apr 27 11:28:04 log02 sshd[3155]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
However, as this one is pretty strange (killed on 25th and restarted on the 27th) I am posting this one too:
Nov 19 09:39:03 log02 sshd[3153]: Received signal 15; terminating.
Nov 19 09:39:06 log02 sshd[6573]: Server listening on :: port 22.
Nov 19 09:39:06 log02 sshd[6573]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Nov 19 09:40:17 log02 sshd[6573]: Received signal 15; terminating.
Nov 19 09:40:20 log02 sshd[7597]: Server listening on :: port 22.
Nov 19 09:40:20 log02 sshd[7597]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.

Thanks.

I must confess this machine runs Linux Red Hat.

No problems -- personally, I like the RHEL family very much.

Anyway, let me ask you: are you perchance restarting the iptables service around the same time that you are seeing those sshd restarts?

The reason I ask is I've noticed that if you have a default DROP policy for your INPUT chain, then restarting the iptables service may 1) terminate your current ssh connection; 2) generate unusual log messages from sshd similar to what you've posted.

If you (or someone) are not restarting iptables, then it looks like some process is trying to kill sshd and then fire up another one too quickly (since it says it can't bind to tcp 22). Maybe logrotate? Although that doesn't explain the seemingly random times you're seeing.

You are right anomie. I have a script that changes the INPUT chain's policy for some maintenance operations. This might be cause of my worries.

Thank you very much for your answer anomie. That was very helpful. Thanks!