On 03/29/2014 06:46 PM, Christoph Biedl wrote:
Michiel van Es wrote...
I have noticed that my Ngircd daemon shuts down whenever a client or an ip makes a connection to my port and sends a bogus SSL handshake:
That doesn't look good ...
Mar 29 03:42:06 mail ngircd[29098]: SSL protocol error: SSL_accept (error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) Mar 29 03:43:06 mail ngircd[29098]: Server going down NOW!
There are exactly 60 seconds between the failed handshake and ngircd shutting down. That's no coincidence I'm sure. So, referring to your other mail, I'd play with the IdleTimeout setting to see if there's a pattern.
Ok, will do.
Even more interesting was to see the actual incoming data, so please try tcpdump if it's still happening.
I think it is a plain IRC connect against my SSL Ngircd who drops the connection.
This continues all during the night and I notice that the connection is coming from Japan (if the IP is not spoofed or a Tor endpoint):
Given the nature of TCP, spoofing the IP requires way more technology then any (assumed) Joe R. Intruder has available. However, I don't see much sense in making the address public: This still might be an innocent bystander who doesn't deserve it. And if it's an attack aimed at you, you shouldn't give that detailled public feedback.
An innocent bystander using my IRC server sounds like a contradiction - I have never accidentally accessed a specific IRC server (unless I might be infected by malware), I know who can access my server and from where ;) Nevertheless it does not seem related to my shutdowns, I guess the IdleTimeout settings will the problem maker.
my 2¢,
Christoph
Michiel
ngIRCd Mailing List: ngIRCd-ML@arthur.barton.de http://arthur.barton.de/mailman/listinfo/ngircd-ml