I recently configured for SSH and have been seeing a lot of Terminal Log entries similar to this:

1/29 08:14:23a 1372 SSH connection accepted from: <edited ip> port 41408
1/29 08:14:25a 1372 SSH WARNING 'Client sent malformed identifier string 'SSH-2.0-Go'' (-32) setting session active from bbs_thread
1/29 08:14:25a 1372 SSH session establishment failed
1/29 08:15:18a 1496 SSH connection accepted from: <edited ip> port 51420
1/29 08:15:20a 1496 SSH active channel 'direct-tcpip' is not 'session', disconnecting.
1/29 08:15:20a 1496 SSH session establishment failed

is that a client issue, or perhaps a mis-configuration issue?

---
þ Synchronet þ AlleyCat! BBS - http://alleycat.synchro.net:81
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

On 2019 Jan 29 08:19:46, you wrote to All:

1/29 08:15:18a 1496 SSH connection accepted from: <edited ip> port

51420

1/29 08:15:20a 1496 SSH active channel 'direct-tcpip' is not 'session', disconnecting.
1/29 08:15:20a 1496 SSH session establishment failed

is that a client issue, or perhaps a mis-configuration issue?

is this a legit random connection or something you are specifically testing? i see similar ones here and they've all been skiddies trying to get in...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong...
... Even Murphy's Law doesn't work all the time.
---
* Origin: (1:3634/12.73)

On 2019 Jan 29 08:19:46, you wrote to All:

1/29 08:15:18a 1496 SSH connection accepted from: <edited ip> port 51420 1/29 08:15:20a 1496 SSH active channel 'direct-tcpip' is not 'session', disconnecting.
1/29 08:15:20a 1496 SSH session establishment failed

is that a client issue, or perhaps a mis-configuration issue?

is this a legit random connection or something you are specifically

testing?

i see similar ones here and they've all been skiddies trying to get in...

Not sure if they are legit or bots, I'll assume they are bots, but if someone could try to SSH alleycat.synchro.net and let me know if the connection is successful or not, I'd appreciate it.

---
þ Synchronet þ AlleyCat! BBS - http://alleycat.synchro.net:81
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: SSH
By: mark lewis to Mortifis on Tue Jan 29 2019 08:05 am

is this a legit random connection or something you are specifically testing? i see similar ones here and they've all been skiddies trying to get in...

"Skiddies". Love it.

---
þ Synchronet þ realitycheckBBS -- http://realitycheckBBS.org
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: SSH
By: Mortifis to All on Tue Jan 29 2019 08:19:47

'SSH-2.0-Go'' (-32) setting session active from bbs_thread

That comes from an SSH library for Go. Could be someone trying their SSH client, more likely they're trying to automate some hack.

is that a client issue, or perhaps a mis-configuration issue?

Very likely a client issue, especially if your server is working with other known-good SSH clients.

---
echicken
electronic chicken bbs - bbs.electronicchicken.com - 416-425-5435
þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: SSH
By: Mortifis to All on Tue Jan 29 2019 08:19:47

'SSH-2.0-Go'' (-32) setting session active from bbs_thread

That comes from an SSH library for Go. Could be someone trying their SSH client, more likely they're trying to automate some hack.

is that a client issue, or perhaps a mis-configuration issue?

Very likely a client issue, especially if your server is working with other known-good SSH clients.

I'm not entirely sure, it works when I use Syncterm locally. I'll just assume it's a hack attempt and be happy knowing you Devs are very security minded when
you code SBBS services, etc :-)

Thanks

---
þ Synchronet þ AlleyCat! BBS - http://alleycat.synchro.net:81
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: SSH
By: Mortifis to All on Tue Jan 29 2019 08:19 am

I recently configured for SSH and have been seeing a lot of Terminal Log entries similar to this:

1/29 08:14:23a 1372 SSH connection accepted from: <edited ip> port 41408 1/29 08:14:25a 1372 SSH WARNING 'Client sent malformed identifier string 'SSH-2.0-Go'' (-32) setting session active from bbs_thread
1/29 08:14:25a 1372 SSH session establishment failed
1/29 08:15:18a 1496 SSH connection accepted from: <edited ip> port 51420 1/29 08:15:20a 1496 SSH active channel 'direct-tcpip' is not 'session', disconnecting.
1/29 08:15:20a 1496 SSH session establishment failed

is that a client issue, or perhaps a mis-configuration issue?

This just looks like connections trying your ssh port looking for holes (portscan of sorts). They're being disconnected so it looks like everything is working properly. I'd expect to see connection attempts at most every common port all day long that go nowhere.

I'm assuming you are able to SSH in.

Retro Guy

---
þ Synchronet þ RetroBBS - bbs.rocksolidbbs.com
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: SSH
By: Mortifis to All on Tue Jan 29 2019 08:19 am

I recently configured for SSH and have been seeing a lot of Terminal Log entries similar to this:

1/29 08:14:23a 1372 SSH connection accepted from: <edited ip> port 41408 1/29 08:14:25a 1372 SSH WARNING 'Client sent malformed

identifier

string 'SSH-2.0-Go'' (-32) setting session active from bbs_thread
1/29 08:14:25a 1372 SSH session establishment failed
1/29 08:15:18a 1496 SSH connection accepted from: <edited ip> port 51420 1/29 08:15:20a 1496 SSH active channel 'direct-tcpip' is not 'session', disconnecting.
1/29 08:15:20a 1496 SSH session establishment failed

is that a client issue, or perhaps a mis-configuration issue?

This just looks like connections trying your ssh port looking for holes (portscan of sorts). They're being disconnected so it looks like everything is working properly. I'd expect to see connection attempts at most every common port all day long that go nowhere.

Yep, been watching port scanners, hack attempts and bots on all open ports for decades :-/

I'm assuming you are able to SSH in.

Yes, but I am doing it within the LAN, so ...

---
þ Synchronet þ AlleyCat! BBS - http://alleycat.synchro.net:81
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: SSH
By: Mortifis to All on Tue Jan 29 2019 08:19 am

I recently configured for SSH and have been seeing a lot of Terminal Log entries similar to this:

1/29 08:14:23a 1372 SSH connection accepted from: <edited ip> port 41408 1/29 08:14:25a 1372 SSH WARNING 'Client sent malformed identifier string 'SSH-2.0-Go'' (-32) setting session active from bbs_thread
1/29 08:14:25a 1372 SSH session establishment failed
1/29 08:15:18a 1496 SSH connection accepted from: <edited ip> port 51420 1/29 08:15:20a 1496 SSH active channel 'direct-tcpip' is not 'session', disconnecting.
1/29 08:15:20a 1496 SSH session establishment failed

is that a client issue, or perhaps a mis-configuration issue?

It's an attack script written in "Go" (the programming language by Google).

digital man

Synchronet "Real Fact" #61:
How to get Synchronet technical support: http://wiki.synchro.net/howto:support Norco, CA WX: 70.0øF, 44.0% humidity, 4 mph E wind, 0.00 inches rain/24hrs
--- SBBSecho 3.06-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

On Tue, 29 Jan 2019 10:05:51 -0400
"Mortifis" <mortifis@VERT/ALLEYCAT> wrote:

On 2019 Jan 29 08:19:46, you wrote to All:

1/29 08:15:18a 1496 SSH connection accepted from: <edited

port 51420 1/29 08:15:20a 1496 SSH active channel 'direct-tcpip' is not

'session', disconnecting.
1/29 08:15:20a 1496 SSH session establishment failed

is that a client issue, or perhaps a mis-configuration issue?

is this a legit random connection or something you are
specifically testing? i see similar ones here and they've all
been skiddies trying to get in...

Not sure if they are legit or bots, I'll assume they are bots, but if
someone could try to SSH alleycat.synchro.net and let me know if the connection is successful or not, I'd appreciate it.

It just worked fine for me. Made it to your synchronet login.

---
þ Synchronet þ RetroBBS - bbs.rocksolidbbs.com
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

On Tue, 29 Jan 2019 10:05:51 -0400
"Mortifis" <mortifis@VERT/ALLEYCAT> wrote:

On 2019 Jan 29 08:19:46, you wrote to All:

Not sure if they are legit or bots, I'll assume they are bots, but if someone could try to SSH alleycat.synchro.net and let me know if the connection is successful or not, I'd appreciate it.

It just worked fine for me. Made it to your synchronet login.

Thank you for checking. It turns out to be a hack script written in Google-Go.
All of the various port scanner and hack bots are slowing my system down for legit connections. I ended up disabling ActiveUser (which is legit) because I was getting queries from dozens of system every second!

---
þ Synchronet þ AlleyCat! BBS - http://alleycat.synchro.net:81
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)