Skip to content(if available)orjump to list(if available)

Confuse some SSH bots and make botters block you

Confuse some SSH bots and make botters block you

14 comments

·December 11, 2025
Visit

jojomodding

I guess I trigger the bot detection? All I am served with is a Rick Astley quote.

Turns out switching from Firefox mobile to Chrome mobile "fixes" this. Thanks for supporting the free and open internet.

Bender

Yeah I probably have a number of false positives from my semi-fascist nginx configuration [2] I just use this for hobby sites and would never be accepted as a commercially supported CDN. They do fancy detection methods whereas I just use simple hacky methods. I tend to tune things so my friends can get through and some random people may get dropped until I look at what they are sending. For what it's worth each method is entirely optional or tunable to a persons needs or fever dreams. Probably language settings.

[1] - https://mirror.newsdump.org/nginx/inc.d/30_generic_http_stuf...

exabrial

We don't leave any ports open anymore. Everything is behind Wireguard. No key? Your packet goes into the blackhole.

Silent by default.

Bender

That is a good idea. My example is for people that expose ssh/sftp on purpose such as a public SFTP server for sharing who knows what.

ChuckMcM

I like this, back when the xterm CVE was common you could probably 0wn any botter who was looking at their logs in xterm.

unsnap_biceps

Not sure if it's down or if I've been flagged incorrectly as a bot

    Safari can't open the page "https://mirror.newsdump.org/confuse-some-ssh-bots.html" because Safari can't connect to the server "mirror.newsdump.org".

Bender

If the TCP Window size is abnormally small I block those and MSS outside of 1280-1460 but that is prior to anything the browser is doing. Those can been seen with

    tcpdump -p -i any -c512 -NNnnvv port 443 and 'tcp[13] == 2'
Or if a VPN is being used there is always a chance it is coming from a server/VPS provider and may be blackhole routed on my end.

politelemon

> The VersionAddendum will cause most poorly coded bots to hang, thus causing the botter to exclude us from their scans rather than us having to block them.

Why does this happen, wouldn't bots just ignore the version information?

estimator7292

That would be a "properly designed" bot and not a poorly-coded one

Bender

That pretty much sums it up. Someone writes a quick and dirty python/perl thing and all the botters use it rather than writing something around a recent ssh library. Their thing is probably faster but leaves out a lot making them easier to detect or break.

Bender

Feel free to test your SSH bots and HTTP bots against mirror.newsdump.org

Bender

I am having fun playing with the slow syn flood of spoofed packets someone is sending. I appreciate them sending it. I like the variability in the TCP MSS, TTL, Window sizes they are sending.

Thus far I am letting some leak through.

    100 SYN received in 15.03 seconds

    100 SYN-ACK returned in 3 minutes and 22.03 seconds.

danudey

Paramiko v4.0.0 (the latest) gets past the version string, it seems, but dies instantly on failed KEX, which is another convenient incompatibility. It does mean that even legitimate SSH bots in Python will fail though.

Bender

That is likely from performing hardening in ssh-audit [1]. The way I used to block python, Go and libssh was to use a iptables string search but that capability does not exist at least natively in nftables.

[1] - https://www.ssh-audit.com/