This hit my ssh logs last night, is there anything to worry about, I've already blocked this turkish ip range , just never seen this so thought Id ask.

Bad protocol version identification 'GET http://www.ipmaster.org/cgi-bin/textenv.pl HTTP/1.1' from ::ffff:78.179.120.108
Bad protocol version identification 'CONNECT www.google.com:443 HTTP/1.0' from ::ffff:78.179.120.108
Bad protocol version identification 'GET http://www.digconsys.com/testdir/env.cgi HTTP/1.1' from ::ffff:78.179.120.108
Bad protocol version identification 'CONNECT www.google.com:443 HTTP/1.0' from ::ffff:78.179.120.108
Bad protocol version identification 'CONNECT irc.geveze.net:7000 HTTP/1.1' from ::ffff:78.179.120.108


I like to know if they are able to actually connect and or run these commands. Any info is helpful


Also it was scary when i saw this and then logged into cpanel today to see the Panel updated to WMH accelerated and asked me for confirm the change. the timing was just off.

If I telnet to my sshd port, and then type something like "I LIKE CHEESE":
[root@titan ~]# telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3
I LIKE CHEESE
Protocol mismatch.
Connection closed by foreign host.
[root@titan ~]#

Looking in my /var/log/secure...
[root@titan ~]# tail /var/log/secure -n 1
Jan 15 12:23:07 titan sshd[9279]: Bad protocol version identification 'I LIKE CHEESE' from UNKNOWN
[root@titan ~]#

This is basically because the SSH Daemon expects the client to send a version back after the daemon provides its own version.

From what you posted, it looks like some script kiddy trying to send httpd commands(mixed with IRC commands?) to your SSHD. So no, it's nothing to worry about.

thanks james! I dont use telnet and im updating ssh to protocol 2 and higher port numbers. much appreciated!

any time

You may even want to move to keys only ssh login and disable passwords entirely.