Michiel van Es wrote...
I have noticed that my Ngircd daemon shuts down whenever a client or an ip makes a connection to my port and sends a bogus SSL handshake:
That doesn't look good ...
Mar 29 03:42:06 mail ngircd[29098]: SSL protocol error: SSL_accept (error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) Mar 29 03:43:06 mail ngircd[29098]: Server going down NOW!
There are exactly 60 seconds between the failed handshake and ngircd shutting down. That's no coincidence I'm sure. So, referring to your other mail, I'd play with the IdleTimeout setting to see if there's a pattern.
Even more interesting was to see the actual incoming data, so please try tcpdump if it's still happening.
This continues all during the night and I notice that the connection is coming from Japan (if the IP is not spoofed or a Tor endpoint):
Given the nature of TCP, spoofing the IP requires way more technology then any (assumed) Joe R. Intruder has available. However, I don't see much sense in making the address public: This still might be an innocent bystander who doesn't deserve it. And if it's an attack aimed at you, you shouldn't give that detailled public feedback.
my 2¢,
Christoph