[Eisfair] BruteForceBlocking: banner exchange Fehler
Marcus Röckrath
marcus.roeckrath at gmx.de
Sa Apr 23 08:48:49 CEST 2022
Hallo Olaf,
Olaf Jaehrling wrote:
> Wäre nett wenn du mir dazu Rückmeldung geben könntest.
Gerne mit Fortsetzung:
Gerade wird die 1.1 geblockt, wobei ich mich Frage, was er damit meint, oder
blocken sollte.
Vermute es hängt mit solchen Zeilen zusammen:
Apr 13 00:35:54 nepo-vw-server sshd[14736]: error:
kex_exchange_identification: client sent invalid protocol identifier "GET /
HTTP/1.1"<br>
Apr 13 03:57:19 nepo-vw-server sshd[13718]: error:
kex_exchange_identification: client sent invalid protocol identifier "GET /
HTTP/1.1"<br>
Apr 13 10:06:35 nepo-vw-server sshd[11167]: error:
kex_exchange_identification: client sent invalid protocol identifier
"CONNECT google.com:443 HTTP/1.1"<br>
Apr 13 19:55:20 nepo-vw-server sshd[31718]: error:
kex_exchange_identification: client sent invalid protocol identifier
"GET /system_api.php HTTP/1.1"<br>
Apr 13 19:55:21 nepo-vw-server sshd[31818]: error:
kex_exchange_identification: client sent invalid protocol identifier
"GET /c/version.js HTTP/1.1"<br>
Apr 13 19:55:23 nepo-vw-server sshd[31820]: error:
kex_exchange_identification: client sent invalid protocol identifier
"GET /streaming/clients_live.php HTTP/1.1"<br>
Apr 13 19:55:25 nepo-vw-server sshd[31822]: error:
kex_exchange_identification: client sent invalid protocol identifier
"GET /stalker_portal/c/version.js HTTP/1.1"<br>
Apr 13 19:55:27 nepo-vw-server sshd[31824]: error:
kex_exchange_identification: client sent invalid protocol identifier
"GET /stream/live.php HTTP/1.1"<br>
Apr 13 19:55:29 nepo-vw-server sshd[31831]: error:
kex_exchange_identification: client sent invalid protocol identifier
"GET /flu/403.html HTTP/1.1"<br>
In der 1.1.html mit über 2000 Zeilen, die Zeilen ab 1.4. enthalten, wobei
auch Zeilen ohne Bezug auf ssh wie
Apr 22 11:35:50 nepo-vw-server imapd[9785]: imap service init from
192.168.100.101<br>
oder
Apr 22 18:01:42 nepo-vw-server smartd[7743]:
Device: /dev/disk/by-id/ata-WDC_WD5002AALX-00J37A0_WD-WCAYUX024924 [SAT],
SMART Prefailure Attribute: 3 Spin_Up_Time changed from 141 to 142 <br>
enthalten sind, findet sich unten die Summary:
Apr 23 01:47:15 nepo-vw-server sshd[26845]: error:
kex_exchange_identification: client sent invalid protocol identifier "GET /
HTTP/1.1"<br>
Apr 23 01:47:23 nepo-vw-server BFB[27733]: address 1.1 blocked after 511
attempt to abuse SLOW_SSH_ATTACK <br>
#################################################################<br>
Process query: '1.1'<br>
Query recognized as IPv4.<br>
Querying whois.arin.net:43 with whois.<br>
<br>
<br>
#<br>
# ARIN WHOIS data and services are subject to the Terms of Use<br>
# available at: https://www.arin.net/resources/registry/whois/tou/<br>
#<br>
# If you see inaccuracies in the results, please report at<br>
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/<br>
#<br>
# Copyright 1997-2022, American Registry for Internet Numbers, Ltd.<br>
#<br>
<br>
<br>
No match found for z + 1.1.<br>
<br>
<br>
#<br>
# ARIN WHOIS data and services are subject to the Terms of Use<br>
# available at: https://www.arin.net/resources/registry/whois/tou/<br>
#<br>
# If you see inaccuracies in the results, please report at<br>
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/<br>
#<br>
# Copyright 1997-2022, American Registry for Internet Numbers, Ltd.<br>
#<br>
<br>
<br>
<br>
<br>
-- <br>
To resolve one of the above handles: whois -h whois.arin.net HANDLE<br>
OTOH offical handles should be recognised directly.<br>
Please report errors or misfits via the debian bug tracking system.<br>
#################################################################<br>
traceroute to 1.1 (1.0.0.1), 20 hops max, 60 byte packets<br>
1 192.168.100.100 (192.168.100.100) 0.173 ms<br>
2 225-058-074-080.ip-addr.inexio.net (80.74.58.225) 4.742 ms<br>
3 185.22.46.68 (185.22.46.68) 4.620 ms<br>
4 ddf-b2-link.ip.twelve99.net (62.115.38.12) 4.282 ms<br>
5 cloudflare-svc079348-ic369097.ip.twelve99-cust.net (62.115.174.133)
4.619 ms<br>
6 one.one.one.one (1.0.0.1) 4.572 ms<br>
</body>
</html>
--
Gruß Marcus
[eisfair-Team]
Mehr Informationen über die Mailingliste Eisfair