

We scanned the Internet for port 22 - yammesicka
http://blog.erratasec.com/2013/09/we-scanned-internet-for-port-22.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SecurityBloggersNetwork+(Security+Bloggers+Network)#.UjOPqsYj_fI

======
noir_lord
> However, please consider adding our scanner (71.6.151.167) to your
> "whitelist". We are well-known cyber-sec researchers, we aren't trying
> anything nefarious or evil, and we are being as transparent as possible
> about our scans.

Sure and while we are at it I'll fetch the lube.

I don't complain about port 22 connections because none of my machines run
anything on port 22 (I move SSH to a random port mostly to deter whatever is
coming out of China this week).

Even if you do find the port you still have to get around the ssh key's (so
unless you are the NSA (j/k)), you could try an exploit against ssh but as it
doesn't report its version good look with that and do try to avoid triggering
fail2ban.

I'm not a systems administrator (I guess I'd be DevOps) but I know enough to
know I don't know enough to disregard best practice.

~~~
LukeShu
What?

They aren't doing anything funny, nor are they asking you for permission to do
anything funny.

They scan your ports. To the unobservant, that can look like they are trying
to crack your systems. What is wrong with recognizing their IP (adding it to
your "whitelist"), and knowing that it probably isn't something worth
investigating.

~~~
njharman
Who exactly are "they"? Other than someone with a blog post saying whitelist
this ip and claiming "no monkey business, promise!" No time/interest to vet
them.

Also, did their webpage get hacked and that ip changed?

Will someone with access to their machines network succumb to maliciously
using or selling access to this widely whitelisted ip?

Seven years from now will that ip still be theirs?

~~~
robertgraham
"They" are me.

What's up with this belief that anybody you haven't heard of is a member of
some shadowy organization? I'm a well known security researcher, I give
several presentations a year at cybersec conferences, and my blog gets
regularly link to from news.ycombinator.com.

Also, the post above excludes the first part of that: "We are happy to add
your IP addresses to our blacklist so we won't ever scan you again".

~~~
jacquesm
Well, as long as you own that IP. So once whitelisted and you switch to a new
IP that IP _stays_ whitelisted.

------
rsync
People. Port knocking. Seriously. There are very few things that have come and
gone in the almost 20 years that I have been securing systems and dealing with
attacks, but port knocking is a substantive, Truly Good Thing.

Works for a lot of other ports too, but ssh is the obvious one.

~~~
mwcampbell
Which port knocking implementation do you recommend?

~~~
yareally
I've been using knockd[1] for the last 5 or so years. Also has prebuilt
binaries (and in many repositories[2]) for almost every distro, including
cygwin, native windows and android.

[1]
[http://www.zeroflux.org/projects/knock/](http://www.zeroflux.org/projects/knock/)

[2]
[http://packages.debian.org/wheezy/knockd](http://packages.debian.org/wheezy/knockd)

~~~
narcissus
Not knowing much about this stuff, are there any clients that will 'automate'
the knock for you? If so, can you make any suggestions? Or is this a matter of
CLI SSH will do it, but I'm just not finding it?

~~~
yareally
[https://help.ubuntu.com/community/PortKnocking](https://help.ubuntu.com/community/PortKnocking)
(also the same config basically when using Debian)

It's a client/server thing, so you have to have the server running on the PC
you intend to connect to (like when using ssh).

Never used it in any other way than with the CLI and not with every server I
admin or use as there's other best practices also mentioned in the thread that
are typically good enough without throwing in port knocking like:

[https://news.ycombinator.com/item?id=6384313](https://news.ycombinator.com/item?id=6384313)
(and the child reply)

[https://news.ycombinator.com/item?id=6384418](https://news.ycombinator.com/item?id=6384418)

[https://news.ycombinator.com/item?id=6384457](https://news.ycombinator.com/item?id=6384457)

Most things you can just use knocking and connect with ssh forwarding/proxy
and tunnel everything through it like DB clients, IDE connections instead of
having a bunch of ports open to internet. Assuming you don't kill the
connection, then you can keep reusing it as a tunnel for anything else until
rebooting or losing internet connection.

------
zippergz
Why do people think it's worthwhile to file abuse complaints about port 22
connections? If I wanted to file a complaint about every random connection to
port 22 on one of my machines, it would be a full time job...

~~~
WizzleKake
A lot of 'rouge' ssh traffic comes from hacked machines. If you contact the
abuse department of a provider, they may get in touch with the owner of the
machine to let them know that their box has been compromised.

~~~
derleth
> A lot of 'rouge' ssh traffic comes from hacked machines.

And they're owned by the Hell's Angles or Red China, I bet.

~~~
riffraff
Rouge Angles of Satin

------
pdenya
> Yesterday (Sept. 12) we scanned the entire Internet for port 22

> … result of 1,730,887 systems on the Internet … (Note: this is actually only
> 60% of the Internet

So there are only 2,884,811-ish machines on the internet?

~~~
bigiain
I'd guess a closer interpretation might be "there are only ~2,900,000-ish
machines publicly answering on port 22 on the internet".

(Most of my "important" servers have port 22 firewalled off an only open to a
small set of external ip addresses. Some of them aren't running ssh at all.)

------
matt__rose
OpenSSH 4.3 is likely the most popular because it is the version that comes
with (redhat|centos|scientific|oracle) linux 5. It's still widely in use. 4.3
had a lot of bugs, but redhat has been backporting fixes to it since it came
out.

~~~
justincormack
I was wondering about correlating these to distros to get real world usage.
Distinguishing redhat vs centos is not going to be easy though I guess.

------
virtualwhys
I used to run SSH over some port != 22, does the trick to some degree.

After I picked up a Cisco ASA, went back to standard port 22 but only allow
access for connected VPN users.

Of course if the ASA goes down, so does the entire network, yelp. SmartNET
contract/warranty comes in handy, and the data center having backup ASAs on
site for quick swap is pretty useful as well.

~~~
Qantourisc
This doesn't make it secure, but this DOES save a lot on having a log full
with login attempts from all kinds of IP addresses.

~~~
tsahyt
When I set up my first server I was thoroughly surprised at the amount of
login attempts. By now I've got most of Asia on a blacklist for port 22 (which
doesn't matter, since I'm not going to connect to my server from an Asian IP
in the foreseeable future). That throttled it down to about 30 attempts/week,
which is manageable in terms of log reading.

------
telephonetemp
I run a VPS that only is only accessible over IPv6. I wonder if they'll ever
scan it. Is there a way to narrow down the whole IPv6 search space to the most
populated subranges?

~~~
justincormack
Well you could get hold of the routing tables and filter out unallocated
space. But thats not going to help much as there are still 64 low end bits to
guess, some people use xxx::1 and ::2 but others use mac address based IPs
(and random ones). So we are probably at the best point to portscan before the
possibility goes away again...

------
sebcat
I'm on a phone with shitty wifi atm so looking at the code would be hard to
say the least. However, I am curious, how do you deal with packet loss?

The reason I'm asking is because, most people who claim to "scan the Internet"
assume that the network is reliable. And they don't follow up on potential
false negatives. If you scan the IPv4 address-space sequentially while only
limiting bandwidth or time, rest assured that packets will be dropped.

------
andrewcooke
if you're curious about your server keys:

    
    
        cd /etc/ssh
        for pub in `ls -1 *.pub`; do ssh-keygen -l -f $pub; done
    

[edit: sorry; thought no-one had replied. earlier i asked what i should worry
about in ssh config. edit2: actually, i am using fail2ban.]

~~~
noir_lord
If you are using the default config the chances are you are using passwords to
login? This is bad because unless you are using something like fail2ban you
are leaving yourself open to brute force attacks.

Rough best practice is, 1) Use SSH keys to login 2) Enforce SSH to login (no
password) 3) Disable Root Logins (login then elevate permissions not logging
in as root) 4) Move from port 22 to something else (if you do 1-3 this
shouldn't matter I do it mostly to keep the crap out my logs) 5) install
something like fail2ban to automatically blacklist IP addresses.

~~~
laumars
Moving SSH off port 22 has no security benefits. Anyone can still easily track
down if you have SSH running and on what port.

The only benefit moving SSH has is to reduce the reporting (as you also
mentioned).

I just wanted to make that clear in case someone mistook your post to assume
that switching SSHs default port made them more secure

~~~
djrogers
Not entirely true. Moving your SSH port will not prevent a _targeted_ attacker
from finding it, it'll barely slow them down.

What it will do however is prevent automated script-kiddy scanning tools from
seeing port 22 open, scraping the banner, and adding your IP to a list of
target to brute force/exploit. That's a good thing, and is absolutely, by any
definition, a security benefit.

~~~
marcosdumay
Automated tools already won't get into your machine if you disable passwords.
And they can easily adapt to non standard ports if the authors see any worth
in doing that.

Setting a non-standard port to ssh is akin to adding a wood plank to the door
of a safe with state of the art locks and 20" steel walls. A very annoying
wood plank, by the way.

~~~
njharman
No it's like hiding the safe so that 99.99% of attackers don't know you have
it and break into your neighbors instead.

~~~
laumars
No, it's like hiding your cash under your mattress expecting people not to
look there.

Real security doesn't rely on obscurity.

------
swalsh
Reading through the source code, there's actually a reasonably well used goto
([https://github.com/robertdavidgraham/masscan/blob/master/src...](https://github.com/robertdavidgraham/masscan/blob/master/src/main-
throttle.c))

------
mabhatter
If they are only hitting a port 22 a few times, who's wasting the ISP's time
with abuse requests... I suppose its probably those guys with Class-A blocks
and too much time on their hands.

------
chatman
What good does it bring anyway to repeatedly scan for the port 22? Doing it
once a month makes sense, but doing it daily doesn't.

~~~
tlrobinson
They said their next scan will be in October...

"We'll be scanning SSH again in October"

~~~
DanBC
They also said

> We are going to be extending this to more ports, such as FTP and SMTP. Soon,
> we should have weekly scans going for about 10 ports. I'm moving slowly
> forward to resolve abuse complaints, like this one generated for port 22. We
> plan on publishing the results, such as the anonymous counts above, in a
> nice weekly report for the public.

So, weekly, not daily.

------
rorrr2
Maybe you should randomize the order of IPs you scan, so you don't hit the
same network at 100K requests/sec.

~~~
gpvos
Of course they do, they are not stupid. Did you read the article?

