Feb 8 16:56:54 sanyalnet-awsec2-1 sshd[25119]: Bad protocol version identification 'GET / HTTP/1.1' from 107.6.183.226 port 34676
Feb 8 16:56:56 sanyalnet-awsec2-1 sshd[25120]: Bad protocol version identification '\026\003\001' from 107.6.183.226 port 37512
Feb 8 16:56:58 sanyalnet-awsec2-1 sshd[25121]: Bad protocol version identification '\026\003\001' from 107.6.183.226 port 41985
Feb 8 16:57:00 sanyalnet-awsec2-1 sshd[25122]: Bad protocol version identification '\200.\001' from 107.6.183.226 port 38391
Feb 8 22:47:55 solaris11-3.sanyalnet.lan sshd[18430]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb 8 22:47:55 solaris11-3.sanyalnet.lan sshd[18431]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb 8 22:49:00 solaris11-3.sanyalnet.lan sshd[18432]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb 8 22:49:00 solaris11-3.sanyalnet.lan sshd[18433]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb 9 00:15:08 solaris11-3.sanyalnet.lan sshd[18454]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 66.249.83.79
Feb 9 01:34:11 solaris11-3.sanyalnet.lan sshd[18480]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb 9 01:34:11 solaris11-3.sanyalnet.lan sshd[18481]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
It appears this nuisance is caused by folks mistakenly, or with nefarious intentions, sending HTTPS web requests to SSHD or vice-versa. (Maybe the fact that I forward port 443 to port 22 on some servers just for sadistic pleasure may have something to do with it.)
The following command line produces a list of IP addresses causing this kind of attacks, and filters out the private subnets:
egrep "Bad protocol version identification" /var/log/messages | sed -e "s/^.*from //" | cut -f 1 -d " " | sort -V | uniq | egrep -v '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'
producing, for the dump at the top:
66.249.83.79
107.6.183.226
These IPs can then be added to any IP blocklist in use. I plan to add them to my popular free public IP blocklist at http://sanyalnet-cloud-vps.freeddns.org/mirai-ips.txt (which started off as a list of Mirai botnet attack sources but is much more now over the years).
Screen dump:
# grep "Bad protocol version identification" /var/log/messages
Feb 8 16:56:54 sanyalnet-awsec2-1 sshd[25119]: Bad protocol version identification 'GET / HTTP/1.1' from 107.6.183.226 port 34676
Feb 8 16:56:56 sanyalnet-awsec2-1 sshd[25120]: Bad protocol version identification '\026\003\001' from 107.6.183.226 port 37512
Feb 8 16:56:58 sanyalnet-awsec2-1 sshd[25121]: Bad protocol version identification '\026\003\001' from 107.6.183.226 port 41985
Feb 8 16:57:00 sanyalnet-awsec2-1 sshd[25122]: Bad protocol version identification '\200.\001' from 107.6.183.226 port 38391
Feb 8 22:47:55 solaris11-3.sanyalnet.lan sshd[18430]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb 8 22:47:55 solaris11-3.sanyalnet.lan sshd[18431]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb 8 22:49:00 solaris11-3.sanyalnet.lan sshd[18432]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb 8 22:49:00 solaris11-3.sanyalnet.lan sshd[18433]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb 9 00:15:08 solaris11-3.sanyalnet.lan sshd[18454]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 66.249.83.79
Feb 9 01:34:11 solaris11-3.sanyalnet.lan sshd[18480]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb 9 01:34:11 solaris11-3.sanyalnet.lan sshd[18481]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
# egrep "Bad protocol version identification" /var/log/messages | sed -e "s/^.*from //" | cut -f 1 -d " " | sort -V | uniq | egrep -v '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'
66.249.83.79
107.6.183.226
#
No comments:
Post a Comment
"SEO" link builders: move on, your spam link will not get posted.
Note: Only a member of this blog may post a comment.