<div dir="ltr"><div><div><div>Another data point. I've got two machines, listening for ssh on two different arbitrary ports. I took a look at /var/log/auth.log on both machines, and found bad stuff on both. Nothing bad happened, because of other measures, but there's certainly more activity now than I though there'd be. Here are the snippets of bad stuff:<br><br>Aug 29 02:36:56 Plato sshd[15693]: Bad protocol version identification '\003' from 108.175.157.187 port 64816<br>Aug 29 05:09:20 Plato sshd[24656]: Bad protocol version identification '\003' from 75.145.88.253 port 58685<br>Aug 29 05:09:20 Plato sshd[24657]: Bad protocol version identification '\003' from 75.145.88.253 port 58707<br>Aug 29 05:09:21 Plato sshd[24658]: Bad protocol version identification '\003' from 75.145.88.253 port 58728<br>Aug 29 05:44:01 Plato sshd[26704]: Bad protocol version identification '\003' from 99.252.214.204 port 65191<br>Aug 29 05:44:01 Plato sshd[26710]: Bad protocol version identification '\003' from 99.252.214.204 port 65206<br>Aug 29 05:44:02 Plato sshd[26711]: Bad protocol version identification '\003' from 99.252.214.204 port 65216<br>Aug 31 10:31:19 Plato sshd[20442]: Bad protocol version identification '\003' from 185.93.185.235 port 51162<br><br></div>and<br><br>Aug 29 02:36:59 camelot-x sshd[5250]: Bad protocol version identification '\003' from 108.175.157.187 port 64815<br>Aug 29 05:08:21 camelot-x sshd[6895]: Bad protocol version identification '\003' from 184.68.81.210 port 52326<br>Aug 29 05:08:21 camelot-x sshd[6896]: Bad protocol version identification '\003' from 184.68.81.210 port 52353<br>Aug 29 05:08:21 camelot-x sshd[6897]: Bad protocol version identification '\003' from 184.68.81.210 port 52375<br>Aug 29 05:43:10 camelot-x sshd[7271]: Bad protocol version identification '\003' from 23.91.71.35 port 62831<br>Aug 29 05:43:10 camelot-x sshd[7272]: Bad protocol version identification '\003' from 23.91.71.35 port 62849<br>Aug 29 05:43:10 camelot-x sshd[7273]: Bad protocol version identification '\003' from 23.91.71.35 port 62857<br>Aug 29 13:19:09 camelot-x sshd[13493]: Bad protocol version identification 'GET / HTTP/1.1' from 79.1.32.105 port 50161<br>Aug 29 19:10:12 camelot-x sshd[17326]: Bad protocol version identification 'GET / HTTP/1.1' from 187.110.211.33 port 37036<br>Aug 30 21:20:29 camelot-x sshd[27845]: Bad protocol version identification 'GET / HTTP/1.1' from 38.122.48.158 port 36990<br>Aug 31 07:48:48 camelot-x sshd[2885]: Bad protocol version identification 'GET / HTTP/1.1' from 167.249.144.2 port 44935<br>Aug 31 08:29:30 camelot-x sshd[3313]: Bad protocol version identification 'GET / HTTP/1.1' from 181.118.134.45 port 42856<br>Aug 31 12:58:45 camelot-x sshd[6483]: Bad protocol version identification 'GET / HTTP/1.1' from 203.159.10.103 port 49502<br>Aug 31 14:14:10 camelot-x sshd[7309]: Bad protocol version identification 'GET / HTTP/1.1' from 186.211.108.26 port 41155<br><br></div>Running whois(1) on these IP numbers yields a variety of ISPs from all over the world.<br><br></div><div>I don't know what the \003 things are doing. The GET is a web page request.<br></div>My web server is on port 80, but the query seen above just gets you a static page with no links. But no matter what you request,<br>none of the pages take any input other than clicks, so I'm not worried. The text for page they requested reads<br><h1>It works!</h1>
<p><em>This far, anyway.</em></p>
<p>This is the default web page for the <a href="http://kosmanor.com">kosmanor.com</a> server.</p>
<p>You will need a more specific URL to see any content.</p><p><br></p><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 29, 2016 at 9:33 PM, Karl Auer <span dir="ltr"><<a href="mailto:kauer@biplane.com.au" target="_blank">kauer@biplane.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, 2016-08-30 at 13:07 +0900, Joel Rees wrote:<br>
> And my thought there was that skript kiddies are no longer the only<br>
> people we should worry about.<br>
<br>
</span>Here's a lesson learned from a zillion hours of training people: Don't<br>
try to do everything at once.<br>
<br>
The OP had a specific problem, recognisable as script kiddy attacks. My<br>
response addressed that, and anyone following through on the first few<br>
of my suggestions will have a robust system, which will see very few<br>
script kiddy attacks if any, and those they do see will not succeed.<br>
<br>
They will have a robust system; not an impervious one.<br>
<span class=""><br>
> It's a good list to get started, but we should really be encouraging<br>
> users to understand what logging in means, how it is done, how these<br>
> attacks use our computers against us, and so forth.<br>
<br>
</span>Well, you go do that. But please don't do it by muddying the waters<br>
around what was a simple problem with easy-to-implement solutions.<br>
<br>
When someone wants to learn how to make toast, you don't immediately<br>
try to sell them a fully kitted-out professional kitchen and start<br>
telling them how vitally important it is to understand everything about<br>
the use and abuse of automated chrome-plated fuel-injected turnip-<br>
twaddlers.<br>
<span class=""><br>
> A quick browse through /etc/services is amusing.<br>
<br>
</span>Pick a random port number >1024 and the chances are very good that it<br>
will be a port number you can use. Simple advice, easily followed.<br>
Unlike "do a thousand hours of research to locate the optimally suited<br>
set of port numbers".<br>
<span class=""><br>
> Well, if you can afford to go all-IPv6 now, I think you've just told<br>
> the attackers you have something interesting in you network.<br>
<br>
</span>What? Who said "all-IPv6"? If you can access your network via IPv6, as<br>
an increasing proportion of the civilised world can, then turning off<br>
IPv4 access to ssh is a simple and VERY effective way to stop script<br>
kiddies (and a pretty large number of other attacks, too). So far,<br>
anyway.<br>
<br>
Regards, K.<br>
<span class="im HOEnZb"><br>
--<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<wbr>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<wbr>~~~~~~~~~~~<br>
Karl Auer (<a href="mailto:kauer@biplane.com.au">kauer@biplane.com.au</a>)<br>
<a href="http://www.biplane.com.au/kauer" rel="noreferrer" target="_blank">http://www.biplane.com.au/<wbr>kauer</a><br>
<a href="http://twitter.com/kauer389" rel="noreferrer" target="_blank">http://twitter.com/kauer389</a><br>
<br>
GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B<br>
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4<br>
<br>
<br>
<br>
<br>
</span><div class="HOEnZb"><div class="h5">--<br>
ubuntu-users mailing list<br>
<a href="mailto:ubuntu-users@lists.ubuntu.com">ubuntu-users@lists.ubuntu.com</a><br>
Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-users" rel="noreferrer" target="_blank">https://lists.ubuntu.com/<wbr>mailman/listinfo/ubuntu-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Kevin O'Gorman<br></div>#define QUESTION ((bb) || (!bb)) /* Shakespeare */<br><br><div><span style="line-height:normal;font-variant:normal;font-size:10pt;font-style:normal;font-weight:normal"><span style="line-height:normal;font-variant:normal;font-size:10pt;font-style:normal;font-weight:normal"></span></span><table border="0" cellpadding="0" cellspacing="0" width="448"><tbody><tr><td width="25"><img src="cid:XVHDKDFDBURW.IMAGE_60.gif" height="21" width="25"></td>
<td width="423"><span style="FONT-FAMILY:Verdana,Geneva,sans-serif;COLOR:rgb(0,153,0);MARGIN-LEFT:5px;FONT-SIZE:10px">Please consider the environment before printing this email.</span></td></tr></tbody></table><br></div></div></div>
</div>