Confuse some SSH bots and make botters block you

(mirror.newsdump.org)

37 points by Bender5 days ago

6 comments

  • jojomodding1 hour ago
    I guess I trigger the bot detection? All I am served with is a Rick Astley quote.<p>Turns out switching from Firefox mobile to Chrome mobile &quot;fixes&quot; this. Thanks for supporting the free and open internet.
    • Bender43 minutes ago
      Yeah I probably have a number of false positives from my semi-fascist nginx configuration [2] I just use this for hobby sites and would never be accepted as a commercially supported CDN. They do fancy detection methods whereas I just use simple hacky methods. I tend to tune things so my friends can get through and some random people may get dropped until I look at what they are sending. For what it&#x27;s worth each method is entirely optional or tunable to a persons needs or fever dreams. <i>Probably language settings.</i><p>[1] - <a href="https:&#x2F;&#x2F;mirror.newsdump.org&#x2F;nginx&#x2F;inc.d&#x2F;30_generic_http_stuff.conf.txt" rel="nofollow">https:&#x2F;&#x2F;mirror.newsdump.org&#x2F;nginx&#x2F;inc.d&#x2F;30_generic_http_stuf...</a>
  • exabrial1 hour ago
    We don&#x27;t leave any ports open anymore. Everything is behind Wireguard. No key? Your packet goes into the blackhole.<p>Silent by default.
    • Bender1 hour ago
      That is a good idea. My example is for people that expose ssh&#x2F;sftp on purpose such as a public SFTP server for sharing <i>who knows what</i>.
  • ChuckMcM55 minutes ago
    I like this, back when the xterm CVE was common you could probably 0wn any botter who was looking at their logs in xterm.
  • unsnap_biceps1 hour ago
    Not sure if it&#x27;s down or if I&#x27;ve been flagged incorrectly as a bot<p><pre><code> Safari can&#x27;t open the page &quot;https:&#x2F;&#x2F;mirror.newsdump.org&#x2F;confuse-some-ssh-bots.html&quot; because Safari can&#x27;t connect to the server &quot;mirror.newsdump.org&quot;.</code></pre>
    • Bender1 hour ago
      If the TCP Window size is abnormally small I block those and MSS outside of 1280-1460 but that is prior to anything the browser is doing. Those can been seen with<p><pre><code> tcpdump -p -i any -c512 -NNnnvv port 443 and &#x27;tcp[13] == 2&#x27; </code></pre> Or if a VPN is being used there is always a chance it is coming from a server&#x2F;VPS provider and may be blackhole routed on my end.
  • politelemon1 hour ago
    &gt; The VersionAddendum will cause most poorly coded bots to hang, thus causing the botter to exclude us from their scans rather than us having to block them.<p>Why does this happen, wouldn&#x27;t bots just ignore the version information?
    • estimator72921 hour ago
      That would be a &quot;properly designed&quot; bot and not a poorly-coded one
      • Bender1 hour ago
        That pretty much sums it up. Someone writes a quick and dirty python&#x2F;perl thing and all the botters use it rather than writing something around a recent ssh library. Their thing is probably faster but leaves out a lot making them easier to detect or break.
  • Bender5 days ago
    Feel free to test your SSH bots <i>and HTTP bots</i> against mirror.newsdump.org
    • Bender1 minute ago
      [delayed]
    • danudey59 minutes ago
      Paramiko v4.0.0 (the latest) gets past the version string, it seems, but dies instantly on failed KEX, which is another convenient incompatibility. It does mean that even legitimate SSH bots in Python will fail though.
      • Bender45 minutes ago
        That is likely from performing hardening in ssh-audit [1]. The way I used to block python, Go and libssh was to use a iptables string search but that capability does not exist <i>at least natively</i> in nftables.<p>[1] - <a href="https:&#x2F;&#x2F;www.ssh-audit.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.ssh-audit.com&#x2F;</a>