SSH Bad Protocol Version Identification String- What is it?

  • I need some help identifying some Bad Protocol version identification errors from our server.

    We're getting the following:

    sshd[xxxx]: Bad protocol version identification '\200\342\001\003\001' from xx.xx.xx.xxxx
    

    I don't know the format that '\200\342\001\003\001' is in, so it will be great if someone could help!

  • This is octal representation (base 8). During the initial steps of a SSH connection, the client and the server send each other the version(s) of the protocol they implement, as strings. These strings must follow a specific format.

    Here, your server received from the client a "protocol version" string consisting of five bytes, of value 128, 226, 1, 3 and 1, in that order. This is not a "protocol version string" which makes sense. Probably, the client was not trying to do some SSH at all, but instead some other protocol.

    A lot of virus try to propagate automatically that way: by trying known vulnerabilities of some protocols on random IP addresses and ports. So any publicly reachable server (like your SSH server) will get that kind of noise. Best thing to do is to ignore it altogether.

    Sorry, I thought I responded to this a while ago. Thanks for the info, I've written up the report with help from this post

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used