Friday, February 8, 2019

Avoiding "Bad protocol version identification" attacks

Thomson and Thompson
I see sporadic attacks to my internet-facing servers in the form of protocol violations on the ssh port. These typically look like (from two different servers):

Feb  8 16:56:54 sanyalnet-awsec2-1 sshd[25119]: Bad protocol version identification 'GET / HTTP/1.1' from 107.6.183.226 port 34676
Feb  8 16:56:56 sanyalnet-awsec2-1 sshd[25120]: Bad protocol version identification '\026\003\001' from 107.6.183.226 port 37512
Feb  8 16:56:58 sanyalnet-awsec2-1 sshd[25121]: Bad protocol version identification '\026\003\001' from 107.6.183.226 port 41985
Feb  8 16:57:00 sanyalnet-awsec2-1 sshd[25122]: Bad protocol version identification '\200.\001' from 107.6.183.226 port 38391
Feb  8 22:47:55 solaris11-3.sanyalnet.lan sshd[18430]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb  8 22:47:55 solaris11-3.sanyalnet.lan sshd[18431]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb  8 22:49:00 solaris11-3.sanyalnet.lan sshd[18432]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb  8 22:49:00 solaris11-3.sanyalnet.lan sshd[18433]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb  9 00:15:08 solaris11-3.sanyalnet.lan sshd[18454]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 66.249.83.79
Feb  9 01:34:11 solaris11-3.sanyalnet.lan sshd[18480]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb  9 01:34:11 solaris11-3.sanyalnet.lan sshd[18481]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129

(The 10.100.0.x sources are from my test runs for replicating the "Bad protocol" error messages.)

It appears this nuisance is caused by folks mistakenly, or with nefarious intentions, sending HTTPS web requests to SSHD or vice-versa. (Maybe the fact that I forward port 443 to port 22 on some servers just for sadistic pleasure may have something to do with it.)

The following command line produces a list of IP addresses causing this kind of attacks, and filters out the private subnets:

egrep "Bad protocol version identification" /var/log/messages | sed -e "s/^.*from //" | cut -f 1 -d " " | sort -V | uniq | egrep -v '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'

producing, for the dump at the top:

66.249.83.79
107.6.183.226

These IPs can then be added to any IP blocklist in use. I plan to add them to my popular free public IP blocklist at http://sanyalnet-cloud-vps.freeddns.org/mirai-ips.txt (which started off as a list of Mirai botnet attack sources but is much more now over the years).

Screen dump:

# grep "Bad protocol version identification" /var/log/messages
Feb  8 16:56:54 sanyalnet-awsec2-1 sshd[25119]: Bad protocol version identification 'GET / HTTP/1.1' from 107.6.183.226 port 34676
Feb  8 16:56:56 sanyalnet-awsec2-1 sshd[25120]: Bad protocol version identification '\026\003\001' from 107.6.183.226 port 37512
Feb  8 16:56:58 sanyalnet-awsec2-1 sshd[25121]: Bad protocol version identification '\026\003\001' from 107.6.183.226 port 41985
Feb  8 16:57:00 sanyalnet-awsec2-1 sshd[25122]: Bad protocol version identification '\200.\001' from 107.6.183.226 port 38391
Feb  8 22:47:55 solaris11-3.sanyalnet.lan sshd[18430]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb  8 22:47:55 solaris11-3.sanyalnet.lan sshd[18431]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb  8 22:49:00 solaris11-3.sanyalnet.lan sshd[18432]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb  8 22:49:00 solaris11-3.sanyalnet.lan sshd[18433]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb  9 00:15:08 solaris11-3.sanyalnet.lan sshd[18454]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 66.249.83.79
Feb  9 01:34:11 solaris11-3.sanyalnet.lan sshd[18480]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
Feb  9 01:34:11 solaris11-3.sanyalnet.lan sshd[18481]: [ID 800047 auth.info] Bad protocol version identification '#026#003#001' from 10.100.0.129
# egrep "Bad protocol version identification" /var/log/messages | sed -e "s/^.*from //" | cut -f 1 -d " " | sort -V | uniq | egrep -v '^(192\.168|10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.)'
66.249.83.79
107.6.183.226

No comments:

Post a Comment

"SEO" link builders: move on, your spam link will not get posted.

Note: Only a member of this blog may post a comment.