The SSH server resets the TCP connection before authentication completes. This usually stems from network issues, brute-force attempts, or client timeout during key exchange.
The "[preauth]" tag indicates the connection was terminated before the authentication phase began. This commonly happens during the key exchange or initial protocol negotiation. The reset can originate from either the client dropping the connection unexpectedly or network hardware issues (firewalls, switches) forcing a TCP reset packet.
Run "tail -f /var/log/auth.log" or "journalctl -u sshd -f" on the server to monitor incoming connections and identify if the resets correlate with brute-force attempts or legitimate clients.
Look for patterns:
- Multiple failed password attempts from the same IP
- "Connection reset" entries in rapid succession
- Specific client IPs consistently triggering the error
Stop the running SSH server and run it in debug mode to capture detailed connection information:
sudo systemctl stop sshd
sudo sshd -ddIn another terminal, attempt a connection:
ssh -vvv user@target-hostDebug output will show exactly where the connection breaks (key exchange, authentication, etc.). Stop with Ctrl+C when done.
Restart SSH normally:
sudo systemctl start sshdEdit /etc/ssh/sshd_config and ensure essential options are configured:
sudo nano /etc/ssh/sshd_configKey settings to check:
- LoginGraceTime 120 (grace period for auth before reset)
- MaxAuthTries 6 (max failed attempts)
- PubkeyAuthentication yes (enable key auth)
- PasswordAuthentication yes (enable password auth, if needed)
- AuthorizedKeysFile .ssh/authorized_keys (correct path)
After editing, validate the config:
sudo sshd -tIf valid, restart SSH:
sudo systemctl restart sshdSlow DNS or GSSAPI authentication can timeout during preauth. Edit /etc/ssh/sshd_config:
GSSAPIAuthentication no
UseDNS noThese settings prevent the server from performing reverse DNS lookups or attempting Kerberos authentication, both of which can cause timeouts.
Validate and restart:
sudo sshd -t && sudo systemctl restart sshdIf logs show repeated "Connection reset" from specific IPs, install and configure fail2ban to block attackers:
sudo apt-get install fail2ban
sudo systemctl start fail2banCreate /etc/fail2ban/jail.local:
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 5
findtime = 600
bantime = 3600Restart fail2ban:
sudo systemctl restart fail2banView currently banned IPs:
sudo fail2ban-client status sshdUse tcpdump to inspect the actual network traffic:
sudo tcpdump -i eth0 -n host <client-ip> and port 22Attempt a connection from the client and examine the output. Look for:
- SYN/SYN-ACK/ACK handshake (should succeed)
- RST packets with "no window, length or ip.id set" (indicates faulty hardware)
- Normal TLS/SSH handshake followed by immediate RST (indicates server issue)
If RST packets appear anomalous, the problem is likely faulty network hardware (switch, firewall). Contact network administrator to replace or reconfigure the hardware.
Systemd socket-activated SSH can encounter concurrent connection issues where multiple incoming connections (e.g., IPv6 ::1 and IPv4 127.0.0.1) simultaneously cause one to be reset. If you suspect this, temporarily disable socket activation and use traditional SSH service by disabling ssh.socket and enabling ssh.service. After testing, you can re-enable socket activation if the reset was a one-time occurrence.
For OpenSSH 7.3+, newer versions provide more descriptive error messages in logs. If you're running an older version, consider upgrading to get clearer diagnostics of preauth failures.
Deprecated SSH algorithms (e.g., diffie-hellman-group1-sha1) may cause client/server incompatibility during key exchange. If both sides have these disabled, the handshake fails with a reset. Use "ssh -Q kex" to list available key exchange methods and adjust /etc/ssh/sshd_config or client ~/.ssh/config accordingly.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH