Nginx log shows ssl handshake errors
I have seen my nginx error log is full of messages like this:
(*date*) [info] 69487#0: *1064573 peer closed connection in SSL handshake while SSL handshaking, client: 95.64.*.*, server: 0.0.0.0:443
(*date*) [info] 69487#0: *1064574 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: 95.162.*.*, server: 0.0.0.0:443
(*date*) [info] 69487#0: *1064572 peer closed connection in SSL handshake while SSL handshaking, client: 5.112.*.*, server: 0.0.0.0:443
(*date*) [info] 69487#0: *1064576 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking, client: 188.211.*.*, server: 0.0.0.0:443
(*date*) [info] 69487#0: *1064578 peer closed connection in SSL handshake while SSL handshaking, client: 185.120.*.*, server: 0.0.0.0:443
(*date*) [info] 69487#0: *1064577 peer closed connection in SSL handshake while SSL handshaking, client: 5.126.*.*, server: 0.0.0.0:443
Note: I have anonymized dates and ip
The server log contains a lot of similar log lines. I have created a fail2ban rule to filter them all and after a day it has blackilisted more than 6000 ips. A quick look of some of them blacklisted shows that almost all are coming from Iran, but it not appears listed in https://www.abuseipdb.com.
Is this an attack? Or may be I have misconfigured the nginx server? If it is an attack, what type of attack it is? I need to know this to report the IP addresses if they are malicious.
Solution 1:
ssh handshake errors
You meant surely SSL (not SSH).
Is this an attack?
Directly seen it is not. This means exactly what it says (connection is closed on stage where normally a SSL handshake would take place). This can have several reasons: e. g. something noticed that your nginx is using method that other side does not support and don't even try to fulfill a handshake. Or it is some unstable or slow connection (gets broken on handshake phase or did not answered within timeout), etc.
Sometimes it is some old browser API (also may be used by some bots) which is simply unable to communicate secure using newest SSL facilities.
But sometimes it is really something intentional, which is organized by botnet in order to flood your log with with "parasitic" log entries or data messages (for example to slow down the monitoring services like IDS/IPS/fail2ban/whatever) or to hide real "attack" attempts by the large traffic (on log or data).