I have a machine with SSH exposed on one high-numbered nonstandard port forwarded through a NAT. A few days ago I noticed some log noise about failed SSH logins and turned on fail2ban with sane defaults. It banned almost 300 addresses the next day. Looks like a botnet of compromised VMs, most of the random sample I whois‘d are from cloud/telecom provider’s IP ranges. The only common-ish use of the port in question is a very obsolete game matching service, and a couple machines behind the NAT with SSH on consecutive ports aren’t being harassed.
I’m used to attracting unwanted attention running services on standard ports (another machine that runs SSH on port 22 + HTTPS on 443 usually hands out at least 2000 bans a day), but this is new. Is the Internet that hostile now that bots are roving around in the 4-digit ports startin’ shit? Are there new behaviors that attract unwanted attention?
Web Presence
Page Navigation
Meta
-
Recent Posts
Random Quote
The first truth is that the liberty of a democracy is not safe if the people tolerate the growth of private power to a point where it becomes stronger than their democratic state itself. That, in its essence, is fascism – ownership of government by an individual, by a group, or by any other controlling private power.
— Franklin D. RooseveltCategories
License
Unless otherwise noted, this work is licensed under a Creative Commons Attribution-ShareAlike 3.0 United States License.
1 Response to SSH Brute-Force on Unusual Ports?