On Sat, Oct 01, 2022 at 10:44:48PM -0400, Viktor Dukhovni wrote:
> > Sep 25 00:07:45 bilbo dovecot: imap-login: Disconnected: Connection
> > closed: SSL_accept() failed: error:14209102:SSL
> > routines:tls_early_post_process_client_hello:unsupported protocol (no
> > auth attempts in 3 secs): user=<>, rip=205.210.31.140, lip=172.31.8.104,
> > TLS handshaking: SSL_accept() failed: error:14209102:SSL
> > routines:tls_early_post_process_client_hello:unsupported protocol,
> > session=<x8XLOnrp39PN0h+M>
>
> The connection was from:
>
> NetRange: 205.210.31.0 - 205.210.31.255
> CIDR: 205.210.31.0/24
> NetName: PAN-22
> Organization: Palo Alto Networks, Inc (PAN-22)
>
> I would not expect TLS version scans from them, but perhaps they too
> carry out TLS feature studies where they look for support for legacy
> TLS versions.
That said, I too see what looks like a security scan from that network in
my logs:
Sep 30 16:35:20 amnesiac postfix/submission/smtpd[97237]: connect from
unknown[205.210.31.51]
Sep 30 16:35:20 amnesiac postfix/submission/smtpd[97237]: warning: non-SMTP
command from unknown[205.210.31.51]: GET / HTTP/1.1
Sep 30 16:35:20 amnesiac postfix/submission/smtpd[97237]: disconnect from
unknown[205.210.31.51] unknown=0/1 commands=0/1
Legitimate research security scans should come from hosts with PTR
records, and, at the associated domain, web pages that document the
project. This could also be abuse.
--
Viktor.
