Port 22 Anecdotes

Recently my firewall at home had a bit of a hick-up and decided to change the rule to forward a high external TCP port number to port 22 of one of my servers into a 1:1 mapping of that port instead. As I was about to go into a long meeting I couldn’t immediately react and fix things so for a couple of hours the SSH server of that machine was accessible from the Internet via its native port – with interesting results.

I was not particularly worried to leave things this way for a couple of hours as I’ve deactivated username/password authentication on that server and the patch level of the machine was up to date. I expected a couple of robots to try getting access but not much more. When I checked my logs after a couple of hours I was however quite surprised at the frequency I was attacked by bots. While there were periods of 30 minutes or so without any activities there are also instances where I got a visitor every 2 or 3 minutes from everywhere around the world and I had one bot that tried to do password authentication every second for a couple of minutes before it gave up after several hundred attempts.

First thought: This sets press reports by companies and governments into perspective that they get attacked many times per hour. That is nothing special, everybody with a public IP address gets constantly bombarded by connection attempts from robots that try to find weaknesses.

Second reaction: Don’t even bother connecting low power IoT devices with a public IPv4 address to the Internet, it will never have an opportunity to go to sleep and its small battery will be empty before the day is out. Even only having a public IPv6 address that is reachable for initiating incoming traffic won’t help as people are working on methods to scan that infinitely bigger address space as well.