New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to block Bad protocol version? #1284

Closed
twixi opened this Issue Dec 29, 2015 · 1 comment

Comments

Projects
None yet
2 participants
@twixi

twixi commented Dec 29, 2015

I have more 500 in auth.log (ssh port change to 23):
I have more:
sshd[20620]: Bad protocol version identification 'guest' from 124.244.54.245 port 39405
sshd[16472]: Did not receive identification string from 87.76.240.167
How to block this in rules!!?

@sebres

This comment has been minimized.

Show comment
Hide comment
@sebres

sebres Dec 29, 2015

Member

This are no failures in sense of authentication (because login does not take place).
But if you will that yet, just copy filter.d/sshd.conf into filter.d/sshd.local and add following to the failregex:

^%(__prefix_line)sBad protocol version identification '.*' from <HOST> port \d+\s*$
^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
Member

sebres commented Dec 29, 2015

This are no failures in sense of authentication (because login does not take place).
But if you will that yet, just copy filter.d/sshd.conf into filter.d/sshd.local and add following to the failregex:

^%(__prefix_line)sBad protocol version identification '.*' from <HOST> port \d+\s*$
^%(__prefix_line)sDid not receive identification string from <HOST>\s*$

@sebres sebres closed this Dec 29, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment