I have a machine with SSH exposed on one high-numbered nonstandard port forwarded through a NAT. A few days ago I noticed some log noise about failed SSH logins and turned on fail2ban with sane defaults. It banned almost 300 addresses the next day. Looks like a botnet of compromised VMs, most of the random sample I
whois‘d are from cloud/telecom provider’s IP ranges. The only common-ish use of the port in question is a very obsolete game matching service, and a couple machines behind the NAT with SSH on consecutive ports aren’t being harassed.
I’m used to attracting unwanted attention running services on standard ports (another machine that runs SSH on port 22 + HTTPS on 443 usually hands out at least 2000 bans a day), but this is new. Is the Internet that hostile now that bots are roving around in the 4-digit ports startin’ shit? Are there new behaviors that attract unwanted attention?
Please, please, stop referring to yourselves as ‘consumers.’ OK? ‘Consumers’ are different than citizens. Consumers do not have obligations, responsibilities, and duties to their fellow human beings. And as long as you’re using that word ‘consumer’ in the public discussion, you will be degrading the quality of the discussion we’re having, and we’re gonna continue to be clueless going into this very difficult future that we face.— James Howard Kunstler
Unless otherwise noted, this work is licensed under a Creative Commons Attribution-ShareAlike 3.0 United States License.
Perhaps you picked a port used by an IoT device. Even post-mirai there are tonnes of vulnerable devices being shipped, and the technique remains valid.