I recently received the following alert in my /var/auth.log

Jun  1 22:29:32 [system_name] sshd[12591]: error: connect_to localhost port 80: failed.

Is there a way this could be triggered without someone successfully authenticating to my server? I don't think I did anything to trigger this alert (by trying to connect to my web server which is not running) so I am concerned that the system has been compromised in some way...

Thanks.

Did you by any chance use your linode as a proxy over ssh (i.e. to browse the web over a secure connection) that could bring up the error.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Not that I know of, but maybe I clicked on something by accident. I have seen that error before in the situation that you describe. I was wondering if there was anything else that could cause it.

I'm pretty sure that needs to be an established session that then tried to forward a connection from the ssh client. One way this can happen accidentally is if you have some automatic forwarding set up in the client's ssh configuration (e.g., the same local ports are always mapped), and just happen to make a connection to the local port while connected. If it's too general in the configuration (not used with a limited host entry) it might even be forwarding you normally intend to use with a different target host.

One thing you can do is look earlier in your logs for the authentication step by the same sshd process id. It should at least let you know which user was used for that session.

-- David