2017-12-26
Some extra noise in sshd attempts
This morning I noticed some to me new amounts of sshd noise in the log:Dec 26 01:55:43 server sshd[31415]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140 Dec 26 01:56:24 server sshd[31466]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140 Dec 26 01:56:53 server sshd[31475]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140 Dec 26 01:57:33 server sshd[31499]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140 Dec 26 01:58:17 server sshd[31691]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140 Dec 26 01:58:51 server sshd[31749]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140 Dec 26 01:59:32 server sshd[31773]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140Dec 26 12:07:58 server sshd[16434]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140 Dec 26 12:08:55 server sshd[16687]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140 Dec 26 12:09:52 server sshd[16743]: Bad protocol version identification '\200F\001\003\001' from 185.110.132.140Going on and on and on and.. So I looked it up and found How to block Bad protocol version? · Issue #1284 · fail2ban/fail2ban · GitHub which has a simple rule to block this with fail2ban. As soon as the sshd.local was loaded a block was set for 185.110.132.140.