Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BitTorrent traffic on ssh-port

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      doejohn
      last edited by

      Hello everybody,

      I have ssh running on a non-standard port.

      Often, I keep receiving a lot of bit-torrent traffic on this port. Something like this:

      Sep 27 23:24:43 bluebox sshd[28714]: Bad protocol version identification '\\\243w\274,\025\262^\220S\315\340"h\227=\222+PZp :J_\373\251
      Sep 27 23:25:34 bluebox sshd[29828]: Bad protocol version identification '-j\264\342\020N\335\366' from 86.49.247.83 port 45644
      Sep 27 23:26:05 bluebox sshd[30703]: Bad protocol version identification '"\316\361\211t\347\277\2278\342>\312\033{\247U\023R\243\312\3
      Sep 27 23:26:24 bluebox sshd[31069]: Bad protocol version identification '?\250\246\273\274KR\322\325\341i\\~5\322\a\241*\261\320l\021(
      Sep 27 23:28:26 bluebox sshd[1778]: Bad protocol version identification '\365\255\343N\201\274GM\027\243\303\336\330P\257\227-='\346\22
      Sep 27 23:30:17 bluebox sshd[4659]: Bad protocol version identification 'R\263k\3572\\B\025t\016\2223\372dQ\027\\\v6\2477*\360' from 94
      Sep 27 23:30:28 bluebox sshd[4847]: Bad protocol version identification '\a\200\270\201\374\266=\255u6,\315\262\200#\t5\003\320|\342\03
      Sep 27 23:31:34 bluebox sshd[6507]: Bad protocol version identification '\023BitTorrent protocol' from 73.66.39.217 port 65454
      Sep 27 23:31:54 bluebox sshd[7057]: Bad protocol version identification '\363\365{\251\370\210\214\223\204\337SW\232\212\327\325\032\35
      Sep 27 23:32:18 bluebox sshd[7752]: Bad protocol version identification '\031O-}\265\220O,5J\372\177\234\236\370\252\001E\f\355fz\035\0
      Sep 27 23:32:37 bluebox sshd[8300]: Bad protocol version identification '\214' from 70.76.117.177 port 65481
      Sep 27 23:34:24 bluebox sshd[10839]: Bad protocol version identification '\230\032' from 82.130.170.128 port 61681
      Sep 27 23:34:52 bluebox sshd[11588]: Bad protocol version identification '\223\022\242\255i\213\002\223\202\253\003\264-o\356\213h\340\
      Sep 27 23:35:19 bluebox sshd[12150]: Bad protocol version identification 'Nd\373\263\370\200\342\254|\362q\305Z\a7\357\21713\031\177\31
      Sep 27 23:35:34 bluebox sshd[12701]: Bad protocol version identification '\322\351-\356T\321d\004\016jPh:\375' from 82.130.170.128 port
      Sep 27 23:36:28 bluebox sshd[14308]: Bad protocol version identification '\004\177)K&\003=^V\361J\300\207|\370\206\353\317;\242\344\261
      Sep 27 23:36:45 bluebox sshd[14676]: Bad protocol version identification '' from 82.130.170.128 port 61990
      Sep 27 23:37:41 bluebox sshd[15971]: Bad protocol version identification '\245~\231H\333\231D*v@\250\250j\304\002\221\211\315\024\344\2
      Sep 27 23:39:07 bluebox sshd[18140]: Bad protocol version identification '\037T\225\001\336\302c\205\334\252\200I\221|\017t\217Y'\021<\
      Sep 27 23:39:12 bluebox sshd[18323]: Bad protocol version identification '(,i\222\233\343`\004\304\323\257pGp\005\215Q\267\201\257\2509
      Sep 27 23:40:13 bluebox sshd[19982]: Bad protocol version identification '\363Q&4\222E\032G&0(\251\261\236\331\356\244,c^\241=\021\210a
      Sep 27 23:40:23 bluebox sshd[20167]: Bad protocol version identification '"\372\312)\363\231D\252\223\307\253\v(0\214\260\350\t\025|\37
      Sep 27 23:41:44 bluebox sshd[22377]: Bad protocol version identification 'F\326k\305\305\354\024\313\365\236V\037\225\232fzDQ\362S;ISl;
      Sep 27 23:41:46 bluebox sshd[22380]: Bad protocol version identification '\231\021\320\203\252\364\334z\340G\031\001i\240\204\304\336\2
      Sep 27 23:42:46 bluebox sshd[23983]: Did not receive identification string from 173.244.48.49
      Sep 27 23:42:51 bluebox sshd[24167]: Bad protocol version identification '6OI\026\304p{\006\257\201\313\202\361\345\0341Z\3143$\264(\02
      
      

      This effectively results in DOS, because often, regular ssh connects will fail.  :'(

      Any ideas how to track down why this torrent traffic keeps hitting my ssh port and how to get rid of it?

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        So, here's an idea - do NOT leave SSH and webGUI wide open to the world. Duh! Use VPN or at minimum limit access to well known management IPs.

        1 Reply Last reply Reply Quote 0
        • D
          doejohn
          last edited by

          Umm, this is not the ssh on pfsense.

          pfsense is forwarding the (non-standard) port to a box in the DMZ.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Yeah, and the same applies. If you absolutely need those world open, you'll need to use something like Snort or Suricata and proper protocol rules related to SSH to block those. (Also will need to set SSH_PORTS and SSH_SERVERS on WAN variables tab accordingly)

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Just another example of why attempting security through obscurity is a fail.. Really the only actual reason to use a different port than 22 for your ssh would be to try and lower the log spam of bots hitting it, etc.. ;)  You seem to have hit on the complete opposite.. Funny really..

              So your forwarding inbound to some box of yours, or is this some customer behind pfsense that you manage?  If for your own connectivity - with dok here vpn would be the way to go..  If customer and they want ssh open.. Why are you on some odd port?  Guessing some high random which is where p2p normally runs..

              So your IP was at some point in swarm?  On this port as well?  That is really the only time you would see such large amounts of such traffic.

              I am curious how did you determine its p2p traffic exactly?  From that log info or did you sniff it?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • D
                doejohn
                last edited by

                What would a VPN buy me?

                It would do public-kay-authentication. The sshd is also configured to accept ONLY public-key-authentication for specific Groups from hosts with verified Hostkeys.

                So, what would be the security benefits of using a VPN?

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  @johnpoz:

                  Just another example of why attempting security through obscurity is a fail.. Really the only actual reason to use a different port than 22 for your ssh would be to try and lower the log spam of bots hitting it, etc.. ;)  You seem to have hit on the complete opposite.. Funny really..

                  Yeah this definitely is made worse by using those ephemeral ports for SSH server.

                  So, what would be the security benefits of using a VPN?

                  It'd never reach the SSH box. No SSH DoS-ed there.

                  1 Reply Last reply Reply Quote 0
                  • D
                    doejohn
                    last edited by

                    And what would keep the torrent packets from hitting the VPN port?

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by

                      Errr, uh… nothing of course. You cannot control what gets sent to you on your edge firewall. If you think you are DoS-ed, go talk to your ISP.

                      1 Reply Last reply Reply Quote 0
                      • D
                        doejohn
                        last edited by

                        No, I don't think I'm DoS'ed. I think this are "ricochet" packets.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          "And what would keep the torrent packets from hitting the VPN port?"

                          Normally you wouldn't run vpn a p2p port..

                          So your problem is your sshd has some sort of timeout when it gets hit X times with fail login..  Seen them quite often where possible login gets delayed for X number of seconds after failed attempt.. So sure failed logins can amount to what seems like a dos..

                          You could change ports would be what I would suggest.  Standard 22 would be best.. Or some odd port that is not random high.  You don't normally see p2p traffic on such ports like say 42 or something.  Look in your logs for a port that gets the least amount of noise and run it on that port ;)

                          As everyone I see lots of hits to 22, but I do not have 22 forwarded or open to the public.  Only vpn ports. 1194 and I run on tcp 443 as well.  This gets some hits sure - but far and few between that are not me logging in..  In the last 2881 hits on the firewall I see 12 hits to tcp 443 that was not me..  And to 1194 I see a whole 1 hit that was not me for udp that was allowed, and 1 that was blocked on tcp.

                          There is always going to be noise.. But you most likely will see far less to a vpn port, even when you run it on common tcp port like 443..

                          hitsto443.png
                          hitsto443.png_thumb

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • D
                            doejohn
                            last edited by

                            @johnpoz:

                            So your problem is your sshd has some sort of timeout when it gets hit X times with fail login..  Seen them quite often where possible login gets delayed for X number of seconds after failed attempt.. So sure failed logins can amount to what seems like a dos..

                            You could change ports would be what I would suggest.  Standard 22 would be best..

                            On 22, thousands of script-kiddies are knocking. Even more than on some random p2p-port. This is why I changed ports.

                            I don't see what changing to VPN would buy me. The ricochet packets would arrive at the VPN port instead of the sshd-port.

                            Or some odd port that is not random high.  You don't normally see p2p traffic on such ports like say 42 or something.

                            Isn't 42 used by WINS? I'd exepct even more script-kiddies playing with WINS…

                            As everyone I see lots of hits to 22, but I do not have 22 forwarded or open to the public.  Only vpn ports. 1194 and I run on tcp 443 as well.  This gets some hits sure - but far and few between that are not me logging in..  In the last 2881 hits on the firewall I see 12 hits to tcp 443 that was not me..  And to 1194 I see a whole 1 hit that was not me for udp that was allowed, and 1 that was blocked on tcp.

                            Really? Nobody trying to break openvpn?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.