Angus Robertson 661 Posted Wednesday at 10:39 AM I did a lot of web server testing, looking at lots of logs, expect hacking of my public IPs from around the world, usually a few hundred different IPs weekly to my various servers. But a web server log today had some more interesting entries in the log: 192.168.1.31 > alexa-bath.magenta 192.168.1.34 > alexa-hall.magenta 192.168.1.36 > alexa-livingrm.magenta 192.168.1.37 > alexa-garden.magenta 192.168.1.39 > alexa-clock.magenta It seems some of my Amazon Echo units are also attempting SSL connections to my local web server, All the connections failed with an SSL handshake error, so not sure what URL the Echoes are looking at. Why would Echoes be looking for web servers? Angus Share this post Link to post
w0wbagger 6 Posted 8 hours ago Amazon Echoes (I believe) do ARP scans of your local network. Could that be what you're seeing? Share this post Link to post
Angus Robertson 661 Posted 4 hours ago ARP does not involve opening an SSL connection to port 443, which fails due to a certificate error. 03:35:20 Client Hello: 192.168.1.101:443[id=365] from 192.168.1.34 (192.168.1.34) Server Name: , ALPN: http/1.1, Versions: TLSv1.2 Extensions, renegotiate, ext master secret, signature algos, next proto neg, app layer prot neg, EC point formats, elliptic curves 03:35:20 SSL Handshake Error: 192.168.1.34 - error:0A000418:SSL routines::tlsv1 alert unknown ca, State: error But it was just one night, no repeats since, very strange. Angus Share this post Link to post
Kas Ob. 152 Posted 4 hours ago This is strange ! 26 minutes ago, Angus Robertson said: 03:35:20 Client Hello: 192.168.1.101:443[id=365] from 192.168.1.34 (192.168.1.34) Server Name: , ALPN: http/1.1, Versions: TLSv1.2 Extensions, renegotiate, ext master secret, signature algos, next proto neg, app layer prot neg, EC point formats, elliptic curves 03:35:20 SSL Handshake Error: 192.168.1.34 - error:0A000418:SSL routines::tlsv1 alert unknown ca, State: error The lack of Server Name explain some of it but not all, so 1) Your server is configure to not accept default web server or redirect from HTTP to HTTPS (it might be though but in this case it was HTTPS), the connection came with connecting to an IP and a redirect is due to host name (default one) that can server, but in this case Amazon was performing some sort of IP scanning to reverse IP to host lookup (collecting data), like hit in the dark to get the real WebServer. 2) Did the client provided client certificate and the log missed handling or missed logging it ? there is no mention for such certificate in these log lines, and the question is "why?" and "what?" did the server tried to validate and didn't find a CA for it, was it an IP ? Just my thoughts on this two logged lines. Share this post Link to post
Angus Robertson 661 Posted 2 hours ago The server does have a certificate on that address, for pc21-tele.magenta, signed by the ICS intermediate and ICS root, but the Echo would not accept that. The server redirects from 70 to 443, but that would have been logged. Client certificates are not requested. Strange that six Echo devices all decided to go web server hunting within two hours, just once in a week, although I rarely look at the server logs unless debugging ICS. A pity SSL failed, would be very interesting to know what URL it was looking for. That server has another address on the public internet that currently has 615 hackers blocked, mostly accessing the server by IP address. Just added an ASN database to ICS, so the logs will shortly list ISP names as well as countries, I expect to be blocking some connected with China but running in the USA and other western countries. Angus 1 Share this post Link to post
![Delphi-PRAXiS [en]](https://en.delphipraxis.net/uploads/monthly_2018_12/logo.png.be76d93fcd709295cb24de51900e5888.png){kind=logo}
