I have a machine with SSH exposed on one high-numbered nonstandard port forwarded through a NAT. A few days ago I noticed some log noise about failed SSH logins and turned on fail2ban with sane defaults. It banned almost 300 addresses the next day. Looks like a botnet of compromised VMs, most of the random sample I whois‘d are from cloud/telecom provider’s IP ranges. The only common-ish use of the port in question is a very obsolete game matching service, and a couple machines behind the NAT with SSH on consecutive ports aren’t being harassed.
I’m used to attracting unwanted attention running services on standard ports (another machine that runs SSH on port 22 + HTTPS on 443 usually hands out at least 2000 bans a day), but this is new. Is the Internet that hostile now that bots are roving around in the 4-digit ports startin’ shit? Are there new behaviors that attract unwanted attention?
Web Presence
Page Navigation
Meta
-
Recent Posts
Random Quote
Religious mysticism is intellectual garbage. It’s a vestige of the old superstitious Dark Ages when nobody knew anything and the whole world was sinking deeper and deeper into filth and disease and poverty and ignorance. It is one of those delusions that isn’t called insane only because there are so many people involved.
— Robert M. PirsigCategories
License
Unless otherwise noted, this work is licensed under a Creative Commons Attribution-ShareAlike 3.0 United States License.
Perhaps you picked a port used by an IoT device. Even post-mirai there are tonnes of vulnerable devices being shipped, and the technique remains valid.