Confuse some SSH bots and make botters block you | Not Hacker News!

Confuse Some SSH Bots and Make Botters Block You

Posted25 days agoActive18 days ago

48 points

19 comments

mirror.newsdump.orgSecuritystory

informativeneutral

Debate

40/100

SSH SecurityBotnet MitigationData_security

Key topics

SSH Security

Botnet Mitigation

Data_security

A clever tactic to deter SSH bots involves deliberately introducing incompatibilities that cause them to hang or crash, effectively excluding the server from future scans. Commenters chimed in with their experiences, noting that Paramiko v4.0.0 can bypass the initial version string check but fails on the key exchange, while others pointed out that a "properly designed" bot wouldn't be fooled by such tactics. The discussion highlights the cat-and-mouse game between server administrators and bot operators, with some advocating for a more straightforward approach like hiding SSH behind Wireguard. As it turns out, this tactic can be so effective that it even confused some legitimate users, with one commenter being served a Rick Astley quote instead of the expected content.

Snapshot generated from the HN discussion

Discussion Activity

Very active discussion

First comment

37m

Peak period

22

120-132h

Avg / period

6.4

Comment distribution32 data points

Loading chart...

Based on 32 loaded comments

Key moments

01Story posted
Dec 11, 2025 at 2:11 PM EST
25 days ago
Step 01
02First comment
Dec 11, 2025 at 2:48 PM EST
37m after posting
Step 02
03Peak activity
22 comments in 120-132h
Hottest window of the conversation
Step 03
04Latest activity
Dec 18, 2025 at 12:37 PM EST
18 days ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (19 comments)

Showing 32 comments

BenderAuthor

25 days ago

2 replies

Feel free to test your SSH bots and HTTP bots against mirror.newsdump.org

20 days ago

1 reply

Paramiko v4.0.0 (the latest) gets past the version string, it seems, but dies instantly on failed KEX, which is another convenient incompatibility. It does mean that even legitimate SSH bots in Python will fail though.

BenderAuthor

20 days ago

That is likely from performing hardening in ssh-audit [1]. The way I used to block python, Go and libssh was to use a iptables string search but that capability does not exist at least natively in nftables.

[1] - https://www.ssh-audit.com/

BenderAuthor

20 days ago

1 reply

I am having fun playing with the slow syn flood of spoofed packets someone is sending. I appreciate them sending it. I like the variability in the TCP MSS, TTL, Window sizes they are sending.

Thus far I am letting some leak through.

    100 SYN received in 15.03 seconds

    100 SYN-ACK returned in 3 minutes and 22.03 seconds.

BenderAuthor

19 days ago

1 reply

Eventually ran out of things to play with. Actions taken:

- Blackhole routed a few ASN's / data-centers. It's all spoofed packets but good to block data-centers regardless so we are not sending them syn-ack (good hygiene).

- Added a temporary rule when we encounter a syn-flood. [1]

End result: Input 20 packets in 17 seconds, Output syn-ack reply 20 packets in 4 minutes and 44 seconds. That should translate to an acceptable amount of syn-ack if we were actually attacked some day.

Impact: Before, we sent more syn-ack then I would have liked but there was overall no impact to Nginx as we use the "deferred" socket option [2]. Now we send far fewer syn-ack packets for good internet hygiene. Thank-you to the person using the syn flood tool.

[1] - https://mirror.newsdump.org/nftables.txt

[2] - https://mirror.newsdump.org/nginx/http.d/11_bad_sni.conf.txt

BenderAuthor

18 days ago

On a funny side note, it seems that after blocking ASN's I ended up finding by coincidence this list of ASN's that are related in some way to StormWall [1]. Curious what that means.

[1] - https://bgp.tools/as-set/RIPE::as-stormwall-set#reverse

20 days ago

2 replies

Not sure if it's down or if I've been flagged incorrectly as a bot

    Safari can't open the page "https://mirror.newsdump.org/confuse-some-ssh-bots.html" because Safari can't connect to the server "mirror.newsdump.org".

BenderAuthor

20 days ago

I've never tested Safari to ensure it sends all the common headers sent by Chrome and Firefox. Does Safari send for example the assorted "HTTP_SEC_FETCH" headers [1]? Or if the TCP Window size is abnormally small I block those too but people rarely reduce their buffer sizes.

[1] - https://www.whatsmyip.org/more-info-about-you/

18 days ago

Same

20 days ago

1 reply

> The VersionAddendum will cause most poorly coded bots to hang, thus causing the botter to exclude us from their scans rather than us having to block them.

Why does this happen, wouldn't bots just ignore the version information?

20 days ago

1 reply

That would be a "properly designed" bot and not a poorly-coded one

BenderAuthor

20 days ago

That pretty much sums it up. Someone writes a quick and dirty python/perl thing and all the botters use it rather than writing something around a recent ssh library. Their thing is probably faster but leaves out a lot making them easier to detect or break.

20 days ago

2 replies

We don't leave any ports open anymore. Everything is behind Wireguard. No key? Your packet goes into the blackhole.

Silent by default.

19 days ago

1 reply

be sure to add iptables to drop packets if there's no back and forth exchange of data, then you're good2go as fake/wrong keys don't use resources to determine if a key is legit or not. not that big of a deal and wg just doesn't reply anyways

And good choice on the wireguard only, only issue I had is devops/testing things and not being connected to the wireguard because I'd be connected to another wireguard and couldn't ssh in to the server.

WireGuard _all_ of the things

19 days ago

> add iptables to drop packets if there's no back and forth exchange of data, then you're good2go as fake/wrong keys don't use resources to determine if a key is legit or not.

How does an initial connection work in that scheme?

Seems like a pretty big footgun for questionable benefit, since a main benefit of Wireguard is that it’s very lean in terms of resources.

BenderAuthor

20 days ago

That is a good idea. My example is for people that expose ssh/sftp on purpose such as a public SFTP server for sharing who knows what.

20 days ago

1 reply

I guess I trigger the bot detection? All I am served with is a Rick Astley quote.

Turns out switching from Firefox mobile to Chrome mobile "fixes" this. Thanks for supporting the free and open internet.

BenderAuthor

20 days ago

1 reply

[delayed]

18 days ago

1 reply

This is a terrible idea.

BenderAuthor

18 days ago

Many of the things I do are terrible ideas. That is half the reason I keep doing them.

The goal here is to show people some of the things that can be done not that they should do them. It's up to each person to experiment and determine what tickles their fancy.

20 days ago

1 reply

I like this, back when the xterm CVE was common you could probably 0wn any botter who was looking at their logs in xterm.

BenderAuthor

18 days ago

On a related note that is still a risk today on any site that allows CSS with copy and paste. [1]

[1] - https://thejh.net/misc/website-terminal-copy-paste

20 days ago

1 reply

Lol, I want to know what happened here:

  Eventually I blocked Brazil since I always
  block them via accept-language in nginx and haproxy anyway.
  For reasons I will never understand most people in Brazil
  can not and/or will not read or follow even the
  simplest instructions. This has been the case since BR was
  connected to the internet.

source: https://mirror.newsdump.org/_README.txt

BenderAuthor

20 days ago

[delayed]

20 days ago

1 reply

Interesting bit here. How would this render the firewall useless?

  # greater than 1 is a vulnerability by design used by TLA phishers rendering every firewall useless.
  # beware of fakademic mid-wits that parrot things they do not understand.
  MaxSessions    1

BenderAuthor

20 days ago

1 reply

If I can get you to run a script meaning I was phishing and someone on your email alias ran it to "help me debug my new script" then I can drop a tiny obfuscated shell script that will execute when you log in. No sudo, no root. Your machine will ssh out to a node I control using gateway ports. I then ssh into your node using a key I dropped and then piggy-back on your multiplexed connection to your development or production data-center making use of a connection that you already authenticated to and already used MFA/2FA. In most cases there will be no logs to gather and the security team will see my connection as you. No hacking tools required.

It's only a risk if someone on your team runs the script.

19 days ago

1 reply

Sorry, but this is hard to parse: Is your main objection to it that it can obfuscate login activity since many systems track login/connection events at the sshd level and are oblivious to SSH multiplexing?

I personally find it extremely useful when working with servers more than 100ms or so away in many contexts, and even closer if the workflow requires making many short-lived connections.

BenderAuthor

19 days ago

Is your main objection to it that it can obfuscate login activity since many systems track login/connection events at the sshd level and are oblivious to SSH multiplexing?

No, it means anyone that can get your team to execute a script can log in as you in any data-center you have authenticated to regardless of multi-factor authentication without using credentials. It means firewalls do not exist, CVE's not required and credentials are not required.

I personally find it extremely useful

Absolutely, not using credentials and riding the existing channels will always be faster. Removing authentication requirements will always reduce friction.

19 days ago

1 reply

Can't access this site

BenderAuthor

19 days ago

I may have broke something for a bit. Maybe it will work now. That reminds me, I should make a fake green status sub-domain page.

20 days ago

I love this, I remember running a tarpit on port 22 on a spare VM at an old job of mine. Was entertaining to tie up all those scanners and be a pest to their runners.

The extremely large banner in this example is hilarious.

19 days ago

I can't load the page (Firefox mobile on android)

View full discussion on Hacker News

ID: 46235750Type: storyLast synced: 12/16/2025, 11:20:33 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN