I have a machine with SSH exposed on one high-numbered nonstandard port forwarded through a NAT. A few days ago I noticed some log noise about failed SSH logins and turned on fail2ban with sane defaults. It banned almost 300 addresses the next day. Looks like a botnet of compromised VMs, most of the random sample I whois‘d are from cloud/telecom provider’s IP ranges. The only common-ish use of the port in question is a very obsolete game matching service, and a couple machines behind the NAT with SSH on consecutive ports aren’t being harassed.
I’m used to attracting unwanted attention running services on standard ports (another machine that runs SSH on port 22 + HTTPS on 443 usually hands out at least 2000 bans a day), but this is new. Is the Internet that hostile now that bots are roving around in the 4-digit ports startin’ shit? Are there new behaviors that attract unwanted attention?
Web Presence
Page Navigation
Meta
-
Recent Posts
Random Quote
As an immigrat … I come from another culture. And I’m aware of the fact that people elsewhere in the world think differnetly from us. I can, sort of, see us, us Americans, with their eyes. And not all that I see is attractive. I see an insular people who are insensitive to foreign sensibilites, who are lazy, obese, complacent, and increasingly perplexed as to why we are losing our place in the world to people who are more dynamic than us and more disciplined.
— (Kenyan-American Biograpeher) Edmund Morris on CBS’ Face The NationCategories
License
Unless otherwise noted, this work is licensed under a Creative Commons Attribution-ShareAlike 3.0 United States License.
Perhaps you picked a port used by an IoT device. Even post-mirai there are tonnes of vulnerable devices being shipped, and the technique remains valid.