Subj : Re: SSH or no? (was: Nightmares / Dreams)
To   : Andre
From : DustCouncil
Date : Fri Apr 01 2022 02:36:33

 An>  2t> 1) Having the well-known ports open (22/23) is more of a risk for
 An>  2t> portscan/DDOS than obfuscated ports. Not that 2222 and 2323 aren't OB
 An>  2t> alternatives... 
 An> 
 An> It probably limits it a bit, but it's not worth the bother. Tools like
 An> Shodan can find SSH across any port, or any of the other mass scanners
 An> can do the same thing. If someone finds a zero day for OpenSSH, it's not
 An> going to make any difference what port you're listening on because it's
 An> already been scanned and found and put into a database.

I have my homebrew firewall logging all ports in /etc/services - I have received no hits at all on the non-standard ssh ports, but seeing as how the majority of port thwacks are from bots, that makes sense as those bots are looking for something specific.

I do have my SSH server displaying a banner on its non-standard port.  It's been about a week; shodan hasn't picked it up yet.  While the potentiality exists to simply scan all 65k+ ports on any given host, it is unclear to me whether shodan actually does this.  (The banner is there so I can quickly search on a keyword to find it in shodan).  

We'll see in a few weeks.  I know there are no known services that run on the port I'm running SSH on, so if shodan hits that, it'll be pretty clear they're scanning the whole port range.

But it still is significant to me that thus far hits on that port (other than me), are zero, after a week, compared to 190 on port 22 just today so far as of 7 hours ago (the report runs every 12 hours).

--- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
 * Origin: Shipwrecks & Shibboleths [San Francisco, CA - USA] (21:1/227)

.