A DNS over TCP client can be emulated with dig(1)
like so (we explicitly use port 22
as the domain
port might not be translated on the box itself):
dig @example.org -p22 +tcp example.org
Or like so:
dig @example.org -p22 axfr example.org
And it appears to result in the following entries at /var/log/authlog
:
Jan 10 15:08:41 example sshd[21075]: Did not receive identification string from 64.124.xxx.xx
Jan 10 15:08:51 example sshd[22052]: Did not receive identification string from 64.124.xxx.xx
Jan 10 15:09:01 example sshd[24980]: Did not receive identification string from 64.124.xxx.xx
Whereas https,
curl https://example.org:22/
appears to result in the following entry (although the number of entries per attempt appears to differ with different browsers):
Jan 10 15:25:06 example sshd[9203]: Bad protocol version identification '\\026\\003\\001' from 64.124.xxx.xx
It appears that some HTTPS connection attempts also end with one fewer character:
Bad protocol version identification '\\026\\003' from
We can determine all other possible variations:
% fgrep " sshd[" /var/log/authlog | cut -d" " -f7-12 | grep ^Bad | sort | uniq -c | sort -rn | head
351 Bad protocol version identification '\\026\\003\\001' from
110 Bad protocol version identification '\\026\\003\\001\\001E\\001' from
91 Bad protocol version identification '\\026\\003\\002' from
63 Bad protocol version identification '\\026\\003\\001\\001=\\001' from
52 Bad protocol version identification '\\026\\003\\001\\002' from
44 Bad protocol version identification '\\026\\003\\003' from
21 Bad protocol version identification '\\026\\003\\001\\001?\\001' from
16 Bad protocol version identification '\\026\\003\\001\\001B\\001' from
13 Bad protocol version identification '\\026\\003\\001\\0017\\001' from
10 Bad protocol version identification '\\026\\003' from
We can also see a possible number of domain
requests:
% fgrep " sshd[" /var/log/authlog | cut -d" " -f7-12 | grep ^Did | sort | uniq -c
227 Did not receive identification string from
domain
andhttps
ports, as listed in/etc/services
, this being the reason why the questioner is interested in recognizing such traffic from logs.