Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: interpreting "Bad protocol version" strings?

217 views
Skip to first unread message
Message has been deleted

Dag-Erling Smørgrav

unread,
Mar 2, 2010, 2:59:37 PM3/2/10
to
Bob Fnord <b...@example.com> writes:
> I run my SSH server on port 443 to avoid firewall problems when
> working remotely (hotels and such). Sometimes I get messages like
> this in auth.log:
>
> Bad protocol version identification '\\\266)O\362\215\004\313\344\204>\321`\002\236:\306' from ...
>
> How can I figure out what that means, so I know whether I'm seeing
> port-scanning and what kind?

Well, duh. HTTPS.

DES
--
Dag-Erling Smørgrav - d...@des.no

Wolfgang Meiners

unread,
Mar 2, 2010, 3:59:25 PM3/2/10
to
Bob Fnord schrieb:

> I run my SSH server on port 443 to avoid firewall problems when
> working remotely (hotels and such). Sometimes I get messages like
> this in auth.log:
>
> Bad protocol version identification '\\\266)O\362\215\004\313\344\204>\321`\002\236:\306' from ...
>

I am not sure, what that means, but 443 is https and when you try to
connect to port 443, a local proxy gets information what kind of server
is listening at that port.

> How can I figure out what that means, so I know whether I'm seeing
> port-scanning and what kind?

You can run a tool like stunnel on your server port 443 and redirect the
input to port 22. Then, you need stunnel or socat at your remote laptop,
to redirect and encrypt ssh output to your server.


in my laptops ~/.ssh/config there is a part like

Host athome_viassl
HostName MyHostAtHome
Port 443
HostKeyAlias MylocalSSH-Server
CheckHostIP no
ProxyCommand socat -
SSL:%h:%p,cafile="My-ssl-server-cert.crt",cert="My-remote-ssl-key.pem"


so a simple ssh athome_viassl does the trick.

> thanks
>
>

Message has been deleted

Barry Margolin

unread,
Mar 3, 2010, 2:46:27 AM3/3/10
to
In article <50Y0IZQF4024...@reece.net.au>,
Bob Fnord <b...@example.com> wrote:

> That's what I'd expect, but I'm seeing a lot of different, really
> strange "version identification" strings: Here's a selection from my
> logs:

An SSH server expects the first thing that the client sends to be a
version string. But since you're running your server on the HTTPS port,
you're getting connections from clients that are sending encrypted SSL
traffic. This is just meaningless, binary garbage to the SSH server.

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Message has been deleted

Barry Margolin

unread,
Mar 4, 2010, 10:43:01 PM3/4/10
to
In article <IPTQ9VT44024...@reece.net.au>,
Bob Fnord <b...@example.com> wrote:

> Barry Margolin wrote:
>
> > In article <50Y0IZQF4024...@reece.net.au>,
> > Bob Fnord <b...@example.com> wrote:
> > > That's what I'd expect, but I'm seeing a lot of different, really
> > > strange "version identification" strings: Here's a selection from my
> > > logs:
> >
> > An SSH server expects the first thing that the client sends to be a
> > version string. But since you're running your server on the HTTPS port,
> > you're getting connections from clients that are sending encrypted SSL
> > traffic. This is just meaningless, binary garbage to the SSH server.
>

> OK, thanks, I'll keep ignoring it.
> I wondered if there was something I could "decipher" in there,
> just to satisfy my own curiosity.

Well, if you look up the specification of the SSL protocol, you might be
able to translate that binary garbage to it and see what it's sending.
It's presumably just the normal SSL initial encryption negotiation.

0 new messages