sshd log - Fssh_kex_exchange_identification

[freejlr]

Hi guys.

I have found this ssh log in auth.log:

Apr 18 18:03:25 xv0 sshd[1887]: banner exchange: Connection from 107.189.7.92 port 48142: invalid format
Apr 18 18:03:25 xv0 sshd[1888]: error: Fssh_kex_exchange_identification: banner line contains invalid characters
Apr 18 18:03:25 xv0 sshd[1888]: banner exchange: Connection from 107.189.7.92 port 48152: invalid format
Apr 18 18:03:26 xv0 sshd[1889]: error: Fssh_kex_exchange_identification: banner line contains invalid characters
Apr 18 18:03:26 xv0 sshd[1889]: banner exchange: Connection from 107.189.7.92 port 48162: invalid format
Apr 18 18:03:26 xv0 sshd[1890]: error: Fssh_kex_exchange_identification: banner line contains invalid characters
Apr 18 18:03:26 xv0 sshd[1890]: banner exchange: Connection from 107.189.7.92 port 48176: invalid format
Apr 18 18:03:56 xv0 sshd[1891]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT [URL="http://www.baidu.com:443"]www.baidu.com:443[/URL] HTTP/1.1"
Apr 18 18:03:56 xv0 sshd[1891]: banner exchange: Connection from 107.189.7.92 port 39480: invalid format
Apr 18 18:03:56 xv0 sshd[1892]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT [URL="http://www.baidu.com:443"]www.baidu.com:443[/URL] HTTP/1.1"
Apr 18 18:03:56 xv0 sshd[1892]: banner exchange: Connection from 107.189.7.92 port 39486: invalid format
Apr 18 18:03:56 xv0 sshd[1893]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT [URL="http://www.linode.com:443"]www.linode.com:443[/URL] HTTP/1.1"
Apr 18 18:03:56 xv0 sshd[1893]: banner exchange: Connection from 107.189.7.92 port 39488: invalid format
Apr 18 18:03:57 xv0 sshd[1894]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT [URL="http://www.linode.com:443"]www.linode.com:443[/URL] HTTP/1.1"
Apr 18 18:03:57 xv0 sshd[1894]: banner exchange: Connection from 107.189.7.92 port 39496: invalid format
Apr 18 18:03:57 xv0 sshd[1895]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT [URL="http://www.aizhan.com:443"]www.aizhan.com:443[/URL] HTTP/1.1"
Apr 18 18:03:57 xv0 sshd[1895]: banner exchange: Connection from 107.189.7.92 port 39500: invalid format
Apr 18 18:03:57 xv0 sshd[1896]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT [URL="http://www.aizhan.com:443"]www.aizhan.com:443[/URL] HTTP/1.1"
Apr 18 18:03:57 xv0 sshd[1896]: banner exchange: Connection from 107.189.7.92 port 39502: invalid format
Apr 18 18:03:57 xv0 sshd[1897]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT archive.org:443 HTTP/1.1"
Apr 18 18:03:57 xv0 sshd[1897]: banner exchange: Connection from 107.189.7.92 port 39510: invalid format
Apr 18 18:03:57 xv0 sshd[1898]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT archive.org:443 HTTP/1.1"
Apr 18 18:03:57 xv0 sshd[1898]: banner exchange: Connection from 107.189.7.92 port 39516: invalid format

Could it be a scanner? What would be the best defense in this type of situation? Maybe a rule in pf, creating a table limiting the maximum number of connections per second?

max-src-conn - max-src-conn-rate

Thanks guys.

 

[SirDice]

Could it be a scanner?

Bot, more likely. One of the many malware infected servers trying to extend their bot network.

What would be the best defense in this type of situation?

Lookup the address with whois(1), try to find an abuse contact of the provider/company/whomever that owns the range. Send them some of your logs. Don't expect a reply, but it often just abruptly stops.

 

[freejlr]

Reported.

But I have quite a few attempts from that host, about 12 connections per second. To avoid that kind of thing, wouldn't it be good to implement something similar to this?

table <force> persist
block quick from <force>
pass in inet proto tcp from any to any port 22 keep state (max-src-conn 10, \ max-src-conn-rate 2/1, overload <force> flush global)

Or is it not necessary? It's just an idea.

Thanks.

Edit: Apparently it is a provider of virtual machines

 

[SirDice]

I have a blacklist table so I can easily add/remove certain IPs or ranges.

Something like:

table <crap> persist file "/etc/pf.crap"

block in quick on $ext_if from <crap> to any

Add IP addresses and/or ranges to /etc/pf.crap. You can also add addresses dynamically on the command line: pfctl -t crap -T add 1.2.3.4 but keep in mind that those addresses won't be automagically added to /etc/pf.crap.