This work by Tomás Gutiérrez L. is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
2021/12/11
A few weeks ago after I posted my blog entry Unwanted (ssh) connections I changed the default SSH port (22) to a different unused one as I didn’t want logs filling up with random machines/IPs attempting to brute-force their way in. For a few days the logs in /var/log/secure were silent but to my surprise logs started writing again multiple attempts with only a few milliseconds between each attempt, they definitely weren’t trying to be discrete.
They tried different usernames, some of the usuals like oracle, mysql, ubuntu, etc. and also tried some that I hadn’t seen in in the logs before: gaoziqiang, fuhang, ebruayvaz. From what I can gather the first 2 are Chinese names and the third one is a Turkish name, which I guess they are common names in their countries and common enough to be tried to log into a machine.
Now, the interesting part about this is that, first of all, the packet filters I have setup in my server will only allow specific ports with an specific protocol, everything else that doesn’t match this filter will get dropped. This means that if someone tried to ping my machine it will simply won’t respond and look dead, so if someone is trying to connect to my server is because they either know the server exists in there or they are just simply trying ports every valid IP address. Second of all, I changed the port at which the SSH service was running to a not well-known port, so the only way for them to know there was an SSH service running in there would be to port scan. A tool like nmap can port scan and is available in most if not all linux distributions. For example if you wanted to quickly scan a server (-F) without trying to ping to check whether the host is up or not (-Pn) then you will get something like this:
~ $ nmap -Pn -F <IP> Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-11 20:39 -03 Nmap scan report for <IP-HOSTNAME> (<IP>) Host is up. All 100 scanned ports on <IP-HOSTNAME> (<IP>) are in ignored states. Not shown: 100 filtered tcp ports (no-response) Nmap done: 1 IP address (1 host up) scanned in 21.14 seconds
That was the top 100 ports and took 21.14 seconds, without the fast option (-F) it scans 1000 ports and it took 201.44 seconds. nmap does have options to reduce scan time, but again, my server doesn’t respond to pings and doesn’t have open ports in the default port scanning range of nmap, so they would have had to scan all ports (65535) to try to find an open one for an SSH service. Maybe when I had SSH in port 22, they had already tried to login so they knew there was a server at my IP address.
A few days later after this attempt, a new attempt came from a different IP address, I look at the logs I checked both IP addresses that were trying to login and they were assigned to DigitalOcean, very likely that it was the same person just with a different VM (Virtual Machine). I contacted them through an e-mail to their abuse contact mail and sent them the logs, providing information about where they were trying to connect hoping that they would reply with an update on the situtation. All I got was an automated response saying:
This mailbox is processed with automated tooling due to the high volume of abuse submissions we recieve. Reports our automation cannot parse may experience a delay in responde from DigitalOcean.
It has been a bit almost a month since I sent them an e-mail and I still don’t have a response. I do want to believe that they do have a high volume of abuse reports and it takes time to investigate but I’d still like an update on the report I made.
Funnily enough, attackers weren’t the only ones port scanning, in the logs I saw one IP adress that wasn’t mine, it didn’t try multiple times with different users, just closed connections and errors. I did a lookup on the IP and the hostname is “scanner-26.ch1.censys-scanner.com”, which appears to be part of “Censys” a security platform for your machines over the Internet. From what I gather, it probably scans the internet, trying to find vulnerabilities, in my case, a vulnerability in my SSH service and moving on. I would consider this to be rude because I never asked for my server to be scanned yet they are trying something on my server and what if they do find a vulnerability? Will they somehow contact me and report it? It’s like I went around houses lock picking doors to check whether they are easy to open or not without asking permission.
Having a server to play around “open” to the public internet can definitely be fun.