Hi guys.
I have found this ssh log in auth.log:
Could it be a scanner? What would be the best defense in this type of situation? Maybe a rule in pf, creating a table limiting the maximum number of connections per second?
Thanks guys.
I have found this ssh log in auth.log:
Code:
Apr 18 18:03:25 xv0 sshd[1887]: banner exchange: Connection from 107.189.7.92 port 48142: invalid format
Apr 18 18:03:25 xv0 sshd[1888]: error: Fssh_kex_exchange_identification: banner line contains invalid characters
Apr 18 18:03:25 xv0 sshd[1888]: banner exchange: Connection from 107.189.7.92 port 48152: invalid format
Apr 18 18:03:26 xv0 sshd[1889]: error: Fssh_kex_exchange_identification: banner line contains invalid characters
Apr 18 18:03:26 xv0 sshd[1889]: banner exchange: Connection from 107.189.7.92 port 48162: invalid format
Apr 18 18:03:26 xv0 sshd[1890]: error: Fssh_kex_exchange_identification: banner line contains invalid characters
Apr 18 18:03:26 xv0 sshd[1890]: banner exchange: Connection from 107.189.7.92 port 48176: invalid format
Apr 18 18:03:56 xv0 sshd[1891]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT [URL="http://www.baidu.com:443"]www.baidu.com:443[/URL] HTTP/1.1"
Apr 18 18:03:56 xv0 sshd[1891]: banner exchange: Connection from 107.189.7.92 port 39480: invalid format
Apr 18 18:03:56 xv0 sshd[1892]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT [URL="http://www.baidu.com:443"]www.baidu.com:443[/URL] HTTP/1.1"
Apr 18 18:03:56 xv0 sshd[1892]: banner exchange: Connection from 107.189.7.92 port 39486: invalid format
Apr 18 18:03:56 xv0 sshd[1893]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT [URL="http://www.linode.com:443"]www.linode.com:443[/URL] HTTP/1.1"
Apr 18 18:03:56 xv0 sshd[1893]: banner exchange: Connection from 107.189.7.92 port 39488: invalid format
Apr 18 18:03:57 xv0 sshd[1894]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT [URL="http://www.linode.com:443"]www.linode.com:443[/URL] HTTP/1.1"
Apr 18 18:03:57 xv0 sshd[1894]: banner exchange: Connection from 107.189.7.92 port 39496: invalid format
Apr 18 18:03:57 xv0 sshd[1895]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT [URL="http://www.aizhan.com:443"]www.aizhan.com:443[/URL] HTTP/1.1"
Apr 18 18:03:57 xv0 sshd[1895]: banner exchange: Connection from 107.189.7.92 port 39500: invalid format
Apr 18 18:03:57 xv0 sshd[1896]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT [URL="http://www.aizhan.com:443"]www.aizhan.com:443[/URL] HTTP/1.1"
Apr 18 18:03:57 xv0 sshd[1896]: banner exchange: Connection from 107.189.7.92 port 39502: invalid format
Apr 18 18:03:57 xv0 sshd[1897]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT archive.org:443 HTTP/1.1"
Apr 18 18:03:57 xv0 sshd[1897]: banner exchange: Connection from 107.189.7.92 port 39510: invalid format
Apr 18 18:03:57 xv0 sshd[1898]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "CONNECT archive.org:443 HTTP/1.1"
Apr 18 18:03:57 xv0 sshd[1898]: banner exchange: Connection from 107.189.7.92 port 39516: invalid format
Could it be a scanner? What would be the best defense in this type of situation? Maybe a rule in pf, creating a table limiting the maximum number of connections per second?
Code:
max-src-conn - max-src-conn-rate
Thanks guys.