I guess I trigger the bot detection? All I am served with is a Rick Astley quote.<p>Turns out switching from Firefox mobile to Chrome mobile "fixes" this. Thanks for supporting the free and open internet.
Lol, I want to know what happened here:<p><pre><code> Eventually I blocked Brazil since I always
block them via accept-language in nginx and haproxy anyway.
For reasons I will never understand most people in Brazil
can not and/or will not read or follow even the
simplest instructions. This has been the case since BR was
connected to the internet.
</code></pre>
source: <a href="https://mirror.newsdump.org/_README.txt" rel="nofollow">https://mirror.newsdump.org/_README.txt</a>
We don't leave any ports open anymore. Everything is behind Wireguard. No key? Your packet goes into the blackhole.<p>Silent by default.
That is a good idea. My example is for people that expose ssh/sftp on purpose such as a public SFTP server for sharing <i>who knows what</i>.
be sure to add iptables to drop packets if there's no back and forth exchange of data, then you're good2go as fake/wrong keys don't use resources to determine if a key is legit or not. not that big of a deal and wg just doesn't reply anyways<p>And good choice on the wireguard only, only issue I had is devops/testing things and not being connected to the wireguard because I'd be connected to another wireguard and couldn't ssh in to the server.<p>WireGuard _all_ of the things
> add iptables to drop packets if there's no back and forth exchange of data, then you're good2go as fake/wrong keys don't use resources to determine if a key is legit or not.<p>How does an initial connection work in that scheme?<p>Seems like a pretty big footgun for questionable benefit, since a main benefit of Wireguard is that it’s very lean in terms of resources.
> The VersionAddendum will cause most poorly coded bots to hang, thus causing the botter to exclude us from their scans rather than us having to block them.<p>Why does this happen, wouldn't bots just ignore the version information?
I like this, back when the xterm CVE was common you could probably 0wn any botter who was looking at their logs in xterm.
Not sure if it's down or if I've been flagged incorrectly as a bot<p><pre><code> Safari can't open the page "https://mirror.newsdump.org/confuse-some-ssh-bots.html" because Safari can't connect to the server "mirror.newsdump.org".</code></pre>
Interesting bit here. How would this render the firewall useless?<p><pre><code> # greater than 1 is a vulnerability by design used by TLA phishers rendering every firewall useless.
# beware of fakademic mid-wits that parrot things they do not understand.
MaxSessions 1</code></pre>
If I can get you or someone on your team to run a script <i>meaning I was phishing and someone on your email alias ran it to "help me debug my new script"</i> then I can drop a tiny obfuscated shell script that will execute when you log in. No sudo, no root. Your machine will ssh out to a node I control using gateway ports. I then ssh into your node using a key I dropped plus an sshd running as you and then piggy-back on your multiplexed connection to your development or production data-center making use of a connection that you already authenticated to and already used MFA/2FA. In most cases there will be no logs to gather and the security team will see my connection as you. No hacking tools required, no detection from most security daemons.<p>It's only a risk if someone on your team runs the script and your local network allows outbound connections to the internet. None of this is theory though management teams will never want to see a demo much less let others in the company see it. A former coworker came up with the design. Shout out to The Godfather.
Not sure I follow. Is your main objection to it that it can obfuscate login activity since many systems track login/connection events at the sshd level and are oblivious to SSH multiplexing?<p>I personally find it extremely useful when working with servers more than 100ms or so away in many contexts, and even closer if the workflow requires making many short-lived connections.
<i>Is your main objection to it that it can obfuscate login activity since many systems track login/connection events at the sshd level and are oblivious to SSH multiplexing?</i><p>No, it means anyone that can get your team to execute a script can log in as you in any data-center you have authenticated to regardless of multi-factor authentication without using credentials. It means firewalls do not exist, CVE's not required and credentials are not required.<p><i>I personally find it extremely useful</i><p>Absolutely, not using credentials and riding the existing channels will always be faster. Removing authentication requirements will always reduce friction.
Feel free to test your SSH bots <i>and HTTP bots</i> against mirror.newsdump.org
I am having fun playing with the slow syn flood of spoofed packets someone is sending. I appreciate them sending it. I like the variability in the TCP MSS, TTL, Window sizes they are sending.<p>Thus far I am letting some leak through it would seem.<p><pre><code> 100 SYN received in 15.03 seconds
100 SYN-ACK returned in 3 minutes and 22.03 seconds.
</code></pre>
Thus far 2388 requests to this confused-bots file have been let through and 3226 have been assumed to be bots.
Eventually ran out of things to play with. Actions taken:<p>- Blackhole routed a few ASN's / data-centers. It's all spoofed packets but good to block data-centers regardless so we are not sending them syn-ack (good hygiene).<p>- Added a temporary rule when we encounter a syn-flood. [1]<p>End result: Input 20 packets in 17 seconds, Output syn-ack reply 20 packets in 4 minutes and 44 seconds. That should translate to an acceptable amount of syn-ack if we were actually attacked some day.<p>Impact: Before, we sent more syn-ack then I would have liked but there was overall no impact to Nginx as we use the "deferred" socket option [2]. Now we send far fewer syn-ack packets for good internet hygiene. Thank-you to the person using the syn flood tool.<p>[1] - <a href="https://mirror.newsdump.org/nftables.txt" rel="nofollow">https://mirror.newsdump.org/nftables.txt</a><p>[2] - <a href="https://mirror.newsdump.org/nginx/http.d/11_bad_sni.conf.txt" rel="nofollow">https://mirror.newsdump.org/nginx/http.d/11_bad_sni.conf.txt</a>
On a funny side note, it seems that after blocking ASN's I ended up finding by coincidence this list of ASN's that are related in some way to StormWall [1]. Curious what that means. Perhaps they were trying to get me to add myself to a BGP GRE DDoS scrubbing list with the syn-ack packets. Well played if so! :-D<p>[1] - <a href="https://bgp.tools/as-set/RIPE::as-stormwall-set#reverse" rel="nofollow">https://bgp.tools/as-set/RIPE::as-stormwall-set#reverse</a>
Paramiko v4.0.0 (the latest) gets past the version string, it seems, but dies instantly on failed KEX, which is another convenient incompatibility. It does mean that even legitimate SSH bots in Python will fail though.
That is likely from performing hardening in ssh-audit [1]. The way I used to block python, Go and libssh was to use a iptables string search but that capability does not exist <i>at least natively</i> in nftables.<p>[1] - <a href="https://www.ssh-audit.com/" rel="nofollow">https://www.ssh-audit.com/</a>
I love this, I remember running a tarpit on port 22 on a spare VM at an old job of mine. Was entertaining to tie up all those scanners and be a pest to their runners.<p>The extremely large banner in this example is hilarious.
I can't load the page (Firefox mobile on android)
Can't access this site