sshd Bad protocol version identification '\026\003\00'

[isaac82]

Hi,

Quick and to the point:

My question is, does anyone know what protocol starts '\026\003\001'? I'm guessing these are some chars, but I'm not sure what encoding.

Background if you're interested:

I've just setup my freenas for remote ssh access - mainly for sftp.

I'm behind NAT and using port forwarding on 443.
I've done this by moving the HTTPS webGUI from 443 and SSH to it (partly to be off the standard SSH port and partly to get through a work firewall).

Anyway, it's all working, and I was expecting the security logs to show some attempts to gain access, which they did. However I have one repeated log I don't quite understand:

Mar 12 22:59:36 freenas sshd[35978]: Bad protocol version identification '\026\003\001' from 192.168.0.4

I got a series of these at 22:23 and 22:59 last night. What's weird is they're from an internal IP address.

I just connected back in remotely and that IP is down - so could have been my android phone or possibly the laptop (though I'm sure this was off by at least 22:59).

Obviously my first port of call was google and then to search this forum. But there were no helpful results I could see.

Thanks.

 

[warri]

Seems to be TLS (used in HTTPS). Maybe a browser trying to access your SSH - since it now runs on the standard HTTPS port?

 

[cyberjock]

Seems to be TLS (used in HTTPS). Maybe a browser trying to access your SSH - since it now runs on the standard HTTPS port?

That was actually my first thought.

 

[isaac82]

Thanks, that makes sense. I checked again what had 192.168.0.4 when I was home and my Nexus 4 had grabbed it. Presuming the DHCP lease was renewed from last night, that suggests my phone is contacting my freenas late in the evening without my interaction. Very weird. I do have connectbot setup on it to talk to the nas, and the webgui in the chrome bookmarks, but I doubt it's either of these things.

There's no jail/upnp on the freenas so I doubt it's a result of any discovery stuff.

Anyone have any ideas? It worries me more than the expected access attempts from external IPs.

 

[cyberjock]

I'd say if you really want to know the cause you should see how you can trace connections on Android. There is so much stuff that goes on in the background of OSes these days I'm not sure any of us would even have a good guess.

 

[isaac82]

Thanks, I'll have a look for some android wireshark type app.

 

[ProtoSD]

Thanks, I'll have a look for some android wireshark type app.

There is a Wireshark app for Android, its just called "Shark", but apparently it really sucks. Just run Wireshark on another computer on your LAN and you should still see the same traffic.

 

[cyberjock]

There is a Wireshark app for Android, its just called "Shark", but apparently it really sucks. Just run Wireshark on another computer on your LAN and you should still see the same traffic.

I think that will only work if the data actually is passed to your computer. For switches the packets are only forwarded to the target machine's IP ethernet port. If you are using a hub in this day and age you are crazy! The only exception would be broadcast packets, which would then go to all machines. So you'd have to sniff directly in series with the path of traffic or use a network hub.

For instance, when I used to play Everquest and there was a hack called ShowEQ. It ran on a separate machine from the game that would sniff the traffic going to/from the machine playing the game. The only 2 ways to get any results was to connect the 2 machines in series(through the machine running ShowEQ to the Everquest machine) or use a network hub. No switches would work because the switch would pass the traffic only to the target machine. Of course, back in 1999-2002 or so some hubs were erroneously sold as switches(which was complete BS because the only way to know if you bought a real switch or hub was to test it) and companies got away with it.

 

[isaac82]

Yeah, my freenas is on the same switch as my wifi - which my mobile obviously uses. My only LAN connected PC is on another switch and probably won't see anything. I could run something like tcpdump on the freenas, but I already know it's being hit on 443 by my phone. I'm hoping that if I run something like tPacketCapture on the nexus I might actually be able to see what app is doing it, or at least if it's just the freenas being hit or if my whole network is.

I sort of doubt it is a virus or intrusion, much more likely some random feature.

I'm half tempted to put ssh on some random high port and the webgui back on 443 - I only did it like this to get round my work firewall and to be honest I could just use my phones net connection and connectbot if I ever need to access it from here.

 

[cyberjock]

Yeah, my freenas is on the same switch as my wifi - which my mobile obviously uses. My only LAN connected PC is on another switch and probably won't see anything. I could run something like tcpdump on the freenas, but I already know it's being hit on 443 by my phone. I'm hoping that if I run something like tPacketCapture on the nexus I might actually be able to see what app is doing it, or at least if it's just the freenas being hit or if my whole network is.

I sort of doubt it is a virus or intrusion, much more likely some random feature.

I'm half tempted to put ssh on some random high port and the webgui back on 443 - I only did it like this to get round my work firewall and to be honest I could just use my phones net connection and connectbot if I ever need to access it from here.

I turn my phone into a wifi hotspot and VPN through with my laptop to my home network. Then I have no open ports to worry about. Also you can just use OpenVPN on your phone itself to get onto your home network.

I tend to agree with you, that reusing 443 for your SSH is sneaky, and works, but I don't think I'd recommend it for the long term. What happens if/when a packet from somewhere tries to establish a HTTPS connection and that somehow causes SSH to crash. Then you're stuck because you can't login remotely.