Yeah I probably have a number of false positives from my semi-fascist nginx configuration [2] I just use this for hobby sites and would never be accepted as a commercially supported CDN. They do fancy detection methods whereas I just use simple hacky methods. I tend to tune things so my friends can get through and some random people may get dropped until I look at what they are sending. For what it's worth each method is entirely optional or tunable to a persons needs or fever dreams. Probably language settings.
Eventually I blocked Brazil since I always
block them via accept-language in nginx and haproxy anyway.
For reasons I will never understand most people in Brazil
can not and/or will not read or follow even the
simplest instructions. This has been the case since BR was
connected to the internet.
I love this, I remember running a tarpit on port 22 on a spare VM at an old job of mine. Was entertaining to tie up all those scanners and be a pest to their runners.
The extremely large banner in this example is hilarious.
Interesting bit here. How would this render the firewall useless?
# greater than 1 is a vulnerability by design used by TLA phishers rendering every firewall useless.
# beware of fakademic mid-wits that parrot things they do not understand.
MaxSessions 1
If I can get you or someone on your team to run a script meaning I was phishing and someone on your email alias ran it to "help me debug my new script" then I can drop a tiny obfuscated shell script that will execute when you log in. No sudo, no root. Your machine will ssh out to a node I control using gateway ports. I then ssh into your node using a key I dropped plus an sshd running as you and then piggy-back on your multiplexed connection to your development or production data-center making use of a connection that you already authenticated to and already used MFA/2FA. In most cases there will be no logs to gather and the security team will see my connection as you. No hacking tools required, no detection from most security daemons.
It's only a risk if someone on your team runs the script and your local network allows outbound connections to the internet. None of this is theory though management teams will never want to see a demo much less let others in the company see it. A former coworker came up with the design. Shout out to The Godfather.
If the TCP Window size is abnormally small I block those and MSS outside of 1280-1460 but that is prior to anything the browser is doing. Those can been seen with
tcpdump -p -i any -c512 -NNnnvv port 443 and 'tcp[13] == 2'
Or if a VPN is being used there is always a chance it is coming from a server/VPS provider and may be blackhole routed on my end.
> The VersionAddendum will cause most poorly coded bots to hang, thus causing the botter to exclude us from their scans rather than us having to block them.
Why does this happen, wouldn't bots just ignore the version information?
That pretty much sums it up. Someone writes a quick and dirty python/perl thing and all the botters use it rather than writing something around a recent ssh library. Their thing is probably faster but leaves out a lot making them easier to detect or break.
I am having fun playing with the slow syn flood of spoofed packets someone is sending. I appreciate them sending it. I like the variability in the TCP MSS, TTL, Window sizes they are sending.
Thus far I am letting some leak through it would seem.
100 SYN received in 15.03 seconds
100 SYN-ACK returned in 3 minutes and 22.03 seconds.
Thus far 2388 requests to this confused-bots file have been let through and 3226 have been assumed to be bots.
Paramiko v4.0.0 (the latest) gets past the version string, it seems, but dies instantly on failed KEX, which is another convenient incompatibility. It does mean that even legitimate SSH bots in Python will fail though.
That is likely from performing hardening in ssh-audit [1]. The way I used to block python, Go and libssh was to use a iptables string search but that capability does not exist at least natively in nftables.
I guess I trigger the bot detection? All I am served with is a Rick Astley quote.
Turns out switching from Firefox mobile to Chrome mobile "fixes" this. Thanks for supporting the free and open internet.
Yeah I probably have a number of false positives from my semi-fascist nginx configuration [2] I just use this for hobby sites and would never be accepted as a commercially supported CDN. They do fancy detection methods whereas I just use simple hacky methods. I tend to tune things so my friends can get through and some random people may get dropped until I look at what they are sending. For what it's worth each method is entirely optional or tunable to a persons needs or fever dreams. Probably language settings.
[1] - https://mirror.newsdump.org/nginx/inc.d/30_generic_http_stuf...
Lol, I want to know what happened here:
source: https://mirror.newsdump.org/_README.txtLol, I want to know what happened here:
Years of running forums and IRC servers. That is where 99% of my moderation requirements came from even when I would try really hard to be hands off.
I love this, I remember running a tarpit on port 22 on a spare VM at an old job of mine. Was entertaining to tie up all those scanners and be a pest to their runners.
The extremely large banner in this example is hilarious.
We don't leave any ports open anymore. Everything is behind Wireguard. No key? Your packet goes into the blackhole.
Silent by default.
That is a good idea. My example is for people that expose ssh/sftp on purpose such as a public SFTP server for sharing who knows what.
Interesting bit here. How would this render the firewall useless?
If I can get you or someone on your team to run a script meaning I was phishing and someone on your email alias ran it to "help me debug my new script" then I can drop a tiny obfuscated shell script that will execute when you log in. No sudo, no root. Your machine will ssh out to a node I control using gateway ports. I then ssh into your node using a key I dropped plus an sshd running as you and then piggy-back on your multiplexed connection to your development or production data-center making use of a connection that you already authenticated to and already used MFA/2FA. In most cases there will be no logs to gather and the security team will see my connection as you. No hacking tools required, no detection from most security daemons.
It's only a risk if someone on your team runs the script and your local network allows outbound connections to the internet. None of this is theory though management teams will never want to see a demo much less let others in the company see it. A former coworker came up with the design. Shout out to The Godfather.
I like this, back when the xterm CVE was common you could probably 0wn any botter who was looking at their logs in xterm.
Not sure if it's down or if I've been flagged incorrectly as a bot
If the TCP Window size is abnormally small I block those and MSS outside of 1280-1460 but that is prior to anything the browser is doing. Those can been seen with
Or if a VPN is being used there is always a chance it is coming from a server/VPS provider and may be blackhole routed on my end.> The VersionAddendum will cause most poorly coded bots to hang, thus causing the botter to exclude us from their scans rather than us having to block them.
Why does this happen, wouldn't bots just ignore the version information?
That would be a "properly designed" bot and not a poorly-coded one
That pretty much sums it up. Someone writes a quick and dirty python/perl thing and all the botters use it rather than writing something around a recent ssh library. Their thing is probably faster but leaves out a lot making them easier to detect or break.
Feel free to test your SSH bots and HTTP bots against mirror.newsdump.org
I am having fun playing with the slow syn flood of spoofed packets someone is sending. I appreciate them sending it. I like the variability in the TCP MSS, TTL, Window sizes they are sending.
Thus far I am letting some leak through it would seem.
Thus far 2388 requests to this confused-bots file have been let through and 3226 have been assumed to be bots.Paramiko v4.0.0 (the latest) gets past the version string, it seems, but dies instantly on failed KEX, which is another convenient incompatibility. It does mean that even legitimate SSH bots in Python will fail though.
That is likely from performing hardening in ssh-audit [1]. The way I used to block python, Go and libssh was to use a iptables string search but that capability does not exist at least natively in nftables.
[1] - https://www.ssh-audit.com/