Join Log in
Score:1
Cardsfan avatar Ubuntu

sshd banner exchange error messages

hu flag
Cardsfan

Starting yesterday, began seeing thousands of messages like this in the auth.log

sshd[3635916]: banner exchange: Connection from 202.142.184.68 port 24571: invalid format

Almost 17,000 occurrences of the same ip address shown above, and about 500 occurrences of various other ip addresses. The ports are always changing, and I wonder if this is a brute force attempt. I have ufw enabled which includes this rule I added several minutes ago

Anywhere DENY IN 202.142.184.68

but that hasn't stopped the messages. iplocation places the ip address in Pakistan. I have ssh set up to allow connections from only one port, and it's not the default port for ssh. For my userid on the server, I ssh (Putty) without a password, using a secure key.

Any way to stop these sshd connection attempts, or whatever they are. Should I try fail2ban as mentioned in How can I stop ssh bots from trying to SSH in as root?

BTW, server is 22.04.1

1101
1 + 7
ssh
FedKad avatar
cn flag
FedKad
You can try https://manpages.ubuntu.com/manpages/man8/sshguard.8.html also.
0
Reply
Cardsfan avatar
hu flag
Cardsfan
Took a look at the man page. If I understand correctly, sshguard just automatically updates the firewall based on the logs? I wonder if sshguard will work, because I updated the firewall via UFW but I'm not seeing 202.142.184.68 being blocked in the ufw log
0
Reply
Cardsfan avatar
hu flag
Cardsfan
sshguard is now running, and I've done the setup with UFW per https://www.tecmint.com/block-ssh-brute-force-attacks-sshguard/. The "sshd[12973]: banner exchange: Connection from 202.142.184.68 port 13463: invalid format" messages continue, so maybe sshguard and ufw will not stop these attempts, and maybe I should not worry and just consider this an annoyance. Password auth is set to no, ssh requires a key, and I have 2FA set up
0
Reply
FedKad avatar
cn flag
FedKad
You can look with `iptables -S`. Also check `auth.log` for attacks and blocks
0
Reply
Cardsfan avatar
hu flag
Cardsfan
This is in the iptables sudo iptables -S | grep 202 -A ufw-user-input -s 202.142.184.68/32 -j DROP
0
Reply
cg flag
Mark
Does anyone know why this is happening? Is `banner exchange: Connection from x.x.x.x port 52498: invalid format` indicating someone trying to take advantage of a vulnerability?
0
Reply
cg flag
Mark
Just found [this related thread](https://stackoverflow.com/questions/66685456/cannot-ssh-my-ubuntu-server-kex-exchange-identification-banner-line-contains) which is useful
0
Reply
Score:0
Don Karon avatar Ubuntu
us flag
Don Karon

My server was getting login attempts about every 40 seconds around the clock. I use RSA authentication so none of them ever got in but the amount of traffic was bothersome. I changed the SSH port from 22 to another, unused, port. Now I get less than one attempt per day. Some of these attempts consist of requests for banner exchanges which sshd.config is set to refuse.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.