Suricata Logged my Server Reaching Out to Known Abusive IP

Trent

10/22/23, 12:34 AM

I recently installed Suricata as an Intrusion Detection System on my Ubuntu-22.04 server. I setup Suricata following a tutorial on digital ocean (https://www.digitalocean.com/community/tutorials/how-to-install-suricata-on-ubuntu-20-04), using the default ruleset.

Early in the morning Suricata generated and logged an Alert, showing that my server reached out to a known abusive IP address via SSH.

I have been receiving many attempted SSH connections from abusive IPs, as is normal, but I was surprised to see my server reaching out to one. What could have caused this?

For reference I have secured my server to accept only SSH connections verified with a public key. Password login for root is disabled.

Suricata Logs
I have redacted my servers IP.

10/21/2022-02:20:29.254697  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} XXX.XXX.XXX.XXX:22 -> 185.99.135.7:64347
10/21/2022-02:25:17.194926  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} XXX.XXX.XXX.XXX:22 -> 185.99.135.7:62028

auth.log:
And there are corresponding sshd log entries in /var/log/auth.log shown below:

Oct 21 02:20:29 <servername> sshd[16078]: error: kex_exchange_identification: banner line contains invalid characters
Oct 21 02:20:29 <servername> sshd[16078]: banner exchange: Connection from 185.99.135.7 port 64347: invalid format
Oct 21 02:25:17 <servername> sshd[16081]: error: kex_exchange_identification: banner line contains invalid characters
Oct 21 02:25:17 <servername> sshd[16081]: banner exchange: Connection from 185.99.135.7 port 62028: invalid format
Oct 21 02:25:17 <servername> sshd[16082]: refused connect from 92.255.85.70 (92.255.85.70)

I have replaced my hostname with here.

Later that day when attempting to SSH into my server, SSH informed me that the remote host identification had changed (possible MITM attack).

I'm not sure how to interpret this event, any guidance on what happened at 2:20:29 and 2:25:17 this morning would be appreciated.

108

0 + 2

networking

security

ssh

suricata

anx

11/4/23, 9:59 AM

dupe: https://askubuntu.com/questions/1436652/suricata-logged-my-server-reaching-out-to-an-abusive-ip

anx

11/4/23, 10:05 AM

If OpenSSH had a pre-auth remote hole, you would have bigger troubles than a compromised server. You should investigate whether suricata is just being funny with clarifying the direction of traffic in logs. It is possible that you can replicate this alert simply by sending garbage to the ssh port and get hung up on by sshd expecting a banner.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Suricata Logged my Server Reaching Out to Known Abusive IP

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.