BitTorrent traffic on ssh-port
-
Hello everybody,
I have ssh running on a non-standard port.
Often, I keep receiving a lot of bit-torrent traffic on this port. Something like this:
Sep 27 23:24:43 bluebox sshd[28714]: Bad protocol version identification '\\\243w\274,\025\262^\220S\315\340"h\227=\222+PZp :J_\373\251 Sep 27 23:25:34 bluebox sshd[29828]: Bad protocol version identification '-j\264\342\020N\335\366' from 86.49.247.83 port 45644 Sep 27 23:26:05 bluebox sshd[30703]: Bad protocol version identification '"\316\361\211t\347\277\2278\342>\312\033{\247U\023R\243\312\3 Sep 27 23:26:24 bluebox sshd[31069]: Bad protocol version identification '?\250\246\273\274KR\322\325\341i\\~5\322\a\241*\261\320l\021( Sep 27 23:28:26 bluebox sshd[1778]: Bad protocol version identification '\365\255\343N\201\274GM\027\243\303\336\330P\257\227-='\346\22 Sep 27 23:30:17 bluebox sshd[4659]: Bad protocol version identification 'R\263k\3572\\B\025t\016\2223\372dQ\027\\\v6\2477*\360' from 94 Sep 27 23:30:28 bluebox sshd[4847]: Bad protocol version identification '\a\200\270\201\374\266=\255u6,\315\262\200#\t5\003\320|\342\03 Sep 27 23:31:34 bluebox sshd[6507]: Bad protocol version identification '\023BitTorrent protocol' from 73.66.39.217 port 65454 Sep 27 23:31:54 bluebox sshd[7057]: Bad protocol version identification '\363\365{\251\370\210\214\223\204\337SW\232\212\327\325\032\35 Sep 27 23:32:18 bluebox sshd[7752]: Bad protocol version identification '\031O-}\265\220O,5J\372\177\234\236\370\252\001E\f\355fz\035\0 Sep 27 23:32:37 bluebox sshd[8300]: Bad protocol version identification '\214' from 70.76.117.177 port 65481 Sep 27 23:34:24 bluebox sshd[10839]: Bad protocol version identification '\230\032' from 82.130.170.128 port 61681 Sep 27 23:34:52 bluebox sshd[11588]: Bad protocol version identification '\223\022\242\255i\213\002\223\202\253\003\264-o\356\213h\340\ Sep 27 23:35:19 bluebox sshd[12150]: Bad protocol version identification 'Nd\373\263\370\200\342\254|\362q\305Z\a7\357\21713\031\177\31 Sep 27 23:35:34 bluebox sshd[12701]: Bad protocol version identification '\322\351-\356T\321d\004\016jPh:\375' from 82.130.170.128 port Sep 27 23:36:28 bluebox sshd[14308]: Bad protocol version identification '\004\177)K&\003=^V\361J\300\207|\370\206\353\317;\242\344\261 Sep 27 23:36:45 bluebox sshd[14676]: Bad protocol version identification '' from 82.130.170.128 port 61990 Sep 27 23:37:41 bluebox sshd[15971]: Bad protocol version identification '\245~\231H\333\231D*v@\250\250j\304\002\221\211\315\024\344\2 Sep 27 23:39:07 bluebox sshd[18140]: Bad protocol version identification '\037T\225\001\336\302c\205\334\252\200I\221|\017t\217Y'\021<\ Sep 27 23:39:12 bluebox sshd[18323]: Bad protocol version identification '(,i\222\233\343`\004\304\323\257pGp\005\215Q\267\201\257\2509 Sep 27 23:40:13 bluebox sshd[19982]: Bad protocol version identification '\363Q&4\222E\032G&0(\251\261\236\331\356\244,c^\241=\021\210a Sep 27 23:40:23 bluebox sshd[20167]: Bad protocol version identification '"\372\312)\363\231D\252\223\307\253\v(0\214\260\350\t\025|\37 Sep 27 23:41:44 bluebox sshd[22377]: Bad protocol version identification 'F\326k\305\305\354\024\313\365\236V\037\225\232fzDQ\362S;ISl; Sep 27 23:41:46 bluebox sshd[22380]: Bad protocol version identification '\231\021\320\203\252\364\334z\340G\031\001i\240\204\304\336\2 Sep 27 23:42:46 bluebox sshd[23983]: Did not receive identification string from 173.244.48.49 Sep 27 23:42:51 bluebox sshd[24167]: Bad protocol version identification '6OI\026\304p{\006\257\201\313\202\361\345\0341Z\3143$\264(\02
This effectively results in DOS, because often, regular ssh connects will fail. :'(
Any ideas how to track down why this torrent traffic keeps hitting my ssh port and how to get rid of it?
-
So, here's an idea - do NOT leave SSH and webGUI wide open to the world. Duh! Use VPN or at minimum limit access to well known management IPs.
-
Umm, this is not the ssh on pfsense.
pfsense is forwarding the (non-standard) port to a box in the DMZ.
-
Yeah, and the same applies. If you absolutely need those world open, you'll need to use something like Snort or Suricata and proper protocol rules related to SSH to block those. (Also will need to set SSH_PORTS and SSH_SERVERS on WAN variables tab accordingly)
-
Just another example of why attempting security through obscurity is a fail.. Really the only actual reason to use a different port than 22 for your ssh would be to try and lower the log spam of bots hitting it, etc.. ;) You seem to have hit on the complete opposite.. Funny really..
So your forwarding inbound to some box of yours, or is this some customer behind pfsense that you manage? If for your own connectivity - with dok here vpn would be the way to go.. If customer and they want ssh open.. Why are you on some odd port? Guessing some high random which is where p2p normally runs..
So your IP was at some point in swarm? On this port as well? That is really the only time you would see such large amounts of such traffic.
I am curious how did you determine its p2p traffic exactly? From that log info or did you sniff it?
-
What would a VPN buy me?
It would do public-kay-authentication. The sshd is also configured to accept ONLY public-key-authentication for specific Groups from hosts with verified Hostkeys.
So, what would be the security benefits of using a VPN?
-
Just another example of why attempting security through obscurity is a fail.. Really the only actual reason to use a different port than 22 for your ssh would be to try and lower the log spam of bots hitting it, etc.. ;) You seem to have hit on the complete opposite.. Funny really..
Yeah this definitely is made worse by using those ephemeral ports for SSH server.
So, what would be the security benefits of using a VPN?
It'd never reach the SSH box. No SSH DoS-ed there.
-
And what would keep the torrent packets from hitting the VPN port?
-
Errr, uh… nothing of course. You cannot control what gets sent to you on your edge firewall. If you think you are DoS-ed, go talk to your ISP.
-
No, I don't think I'm DoS'ed. I think this are "ricochet" packets.
-
"And what would keep the torrent packets from hitting the VPN port?"
Normally you wouldn't run vpn a p2p port..
So your problem is your sshd has some sort of timeout when it gets hit X times with fail login.. Seen them quite often where possible login gets delayed for X number of seconds after failed attempt.. So sure failed logins can amount to what seems like a dos..
You could change ports would be what I would suggest. Standard 22 would be best.. Or some odd port that is not random high. You don't normally see p2p traffic on such ports like say 42 or something. Look in your logs for a port that gets the least amount of noise and run it on that port ;)
As everyone I see lots of hits to 22, but I do not have 22 forwarded or open to the public. Only vpn ports. 1194 and I run on tcp 443 as well. This gets some hits sure - but far and few between that are not me logging in.. In the last 2881 hits on the firewall I see 12 hits to tcp 443 that was not me.. And to 1194 I see a whole 1 hit that was not me for udp that was allowed, and 1 that was blocked on tcp.
There is always going to be noise.. But you most likely will see far less to a vpn port, even when you run it on common tcp port like 443..
-
So your problem is your sshd has some sort of timeout when it gets hit X times with fail login.. Seen them quite often where possible login gets delayed for X number of seconds after failed attempt.. So sure failed logins can amount to what seems like a dos..
You could change ports would be what I would suggest. Standard 22 would be best..
On 22, thousands of script-kiddies are knocking. Even more than on some random p2p-port. This is why I changed ports.
I don't see what changing to VPN would buy me. The ricochet packets would arrive at the VPN port instead of the sshd-port.
Or some odd port that is not random high. You don't normally see p2p traffic on such ports like say 42 or something.
Isn't 42 used by WINS? I'd exepct even more script-kiddies playing with WINS…
As everyone I see lots of hits to 22, but I do not have 22 forwarded or open to the public. Only vpn ports. 1194 and I run on tcp 443 as well. This gets some hits sure - but far and few between that are not me logging in.. In the last 2881 hits on the firewall I see 12 hits to tcp 443 that was not me.. And to 1194 I see a whole 1 hit that was not me for udp that was allowed, and 1 that was blocked on tcp.
Really? Nobody trying to break openvpn?