SSH Brute-Force on Unusual Ports?

I have a machine with SSH exposed on one high-numbered nonstandard port forwarded through a NAT. A few days ago I noticed some log noise about failed SSH logins and turned on fail2ban with sane defaults. It banned almost 300 addresses the next day. Looks like a botnet of compromised VMs, most of the random sample I whois‘d are from cloud/telecom provider’s IP ranges. The only common-ish use of the port in question is a very obsolete game matching service, and a couple machines behind the NAT with SSH on consecutive ports aren’t being harassed.

I’m used to attracting unwanted attention running services on standard ports (another machine that runs SSH on port 22 + HTTPS on 443 usually hands out at least 2000 bans a day), but this is new. Is the Internet that hostile now that bots are roving around in the 4-digit ports startin’ shit? Are there new behaviors that attract unwanted attention?

This entry was posted in Computers, General. Bookmark the permalink.

1 Response to SSH Brute-Force on Unusual Ports?

  1. TW says:

    Perhaps you picked a port used by an IoT device. Even post-mirai there are tonnes of vulnerable devices being shipped, and the technique remains valid.

Leave a Reply

Your email address will not be published. Required fields are marked *