I'm running my sshd(8) listening on domain and https ports. (What else is there to run on these ports? 🙂
Obviously, real DNS (when falling back to TCP) and HTTPS clients might attempt to connect to my SSH server listening on these ports.
How can I find out how many connection attempts it receives from DNS/TCP and HTTPS/TCP clients?
Is there, for example, some pattern that I can search the server's logs for that is unique to a DNS/TCP client or an HTTPS/TCP client talking to an SSH server?
Is there some networking tool that can easily show this?
I have linked the OpenBSD /etc/services and sshd above, so I'm obviously interested in how to do this on OpenBSD primarily. But if there's a cross-platform way of doing this that isn't specific to any single operating system, please include it.
Best Answer
You can add content-based firewall rules that analyze the first few bytes of incoming connections. For example, under Linux, with iptables:
The counter on the
notsshrule provides the number of times this rule was triggered since it was established or since the counter was reset withiptables -Z notssh. There's also a counter on the individual rules.This incorrectly counts connections where the first packet of the TCP connection contains less than 7 bytes of the SSH protocol but that is rare in practice.