Silly Port Scans

Wow. It took a whole day for the world to find me after I opened port 22. I always assumed VPS providers were huge targets for the botnet crowd, so I'm not surprised.

What does surprise me is the sheer stupidity of the probes. 349 attempts in 15 minutes from one box at Datotel, all trying to ssh root on high ports. Ha! (Yes, I shared this with the @abuse contact for Datotel.) At least the probes routed through Taiwan and the PRC tried common-user-name attacks and gave up after a dozen failures.

I'd forgotten how amusing syslog could be. :)

14 Replies

Just in case you don't know of it, fail2ban is great.

Switching the port in sshd_config to some random large number works miracles too. But yeah, fail2ban or denyhosts do their work nicely.

I'm actually considering setting up a second sshd on 22, configured to refuse and log every connection. Some providers actually react to abuse@ emails, after all…

It's fun to tail those sometimes, because you see things like:

> Mar 27 09:06:48 xxx sshd[18874]: Failed password for harrypotter from 216.206.238.156 port 59938 ssh2
So that single administrator with 'harrypotter' on his box had better watch out.

So "Alohomora" didn't work eh?

Unless you have a real need for keyboard-interactive authentication, it's far better to go key-only. Good luck brute-forcing an RSA key!

On the other hand, that doesn't really help stop the logs from getting spammed with failed login attempts, so either fail2ban or a firewall rate-limiting rule for new SSH connections is still a good idea.

@rjp:

Unless you have a real need for keyboard-interactive authentication, it's far better to go key-only. Good luck brute-forcing an RSA key!

On the other hand, that doesn't really help stop the logs from getting spammed with failed login attempts, so either fail2ban or a firewall rate-limiting rule for new SSH connections is still a good idea.

Most bots are smart enough to look at the authentication methods and ignore the host if it doesn't offer keyboard-interactive. Why? Because they aren't getting in, so why waste the time?

That said, the single best thing you can do is simply change the port (and add two lines to ~/.ssh/config to make it transparent).

@kbrantley:

That said, the single best thing you can do is simply change the port (and add two lines to ~/.ssh/config to make it transparent).

Can you tell me which lines you're talking about?

> Host mydomain.com

Port 8947

@kbrantley:

> Host mydomain.com

Port 8947

Ah, I see what you're saying, it's so you don't have to type the -p 8947, part.

Thanks.

If you need to get out of a corporate firewall, use port 443 if it is available on your Linode. Several people at my office do this, works great.

I still see see a very few scans daily on 443, but mostly for the same users every time - root, admin and cisco.

James

DenyHosts is also good, and you can get a munin graph to see how many haxxors tried and failed.

@zunzun:

If you need to get out of a corporate firewall, use port 443 if it is available on your Linode. Several people at my office do this, works great.

I still see see a very few scans daily on 443, but mostly for the same users every time - root, admin and cisco.

James

Even if you can't use SSH over 443, you can almost definitely tunnel SSH traffic via your proxy on port 443.

If you want to also run an HTTPS server, look into sslh [http://www.rutschle.net/tech/sslh.shtml]

@mikeage:

If you want to also run an HTTPS server, look into sslh [[url=http://www.rutschle.net/tech/sslh.shtml]http://www.rutschle.net/tech/sslh.shtml]
Very interesting – thanks for the tip.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct