I added a while ago to my honeypot TCP 2222 usually associated with SSH traffic to compare the amount of scans targeting port 22 and 2222 over a period of 7 days. What I have noticed, only about 50% more of the traffic is going to TCP 22 the default SSH service. The activity reported for the past month to DShield has been pretty consistent for TCP 2222[1]. I used the latest version of rockNSM released a few weeks ago with the new added dashboard to track the activity. This graph shows port 22 over the past 7 days This graph shows port 2222 over the past 7 days This graph show both 22 and 2222 over the past 7days I wrote a diary last year where I posted a list of various client types and versions. Over the past several weeks, I received 9664 SSH probe to TCP 2222. This is the breakdown of the various SSH clients used: SSH-2.0-libssh-0.6.3 8060 libssh 0.6 and later is vulnerable to CVE-2018-10933 and the most common hasshServer values posted here. If you are interested in trying out the latest version of rockNSM 2.3, I recently updated my step-by-step guide and posted it here on the handlers server. [1] https://isc.sans.edu/port.html?port=2222 ----------- |
Guy 486 Posts ISC Handler Mar 9th 2019 |
Thread locked Subscribe |
Mar 9th 2019 1 year ago |
I've been blocking these specific clients for a while, I don't think I've ever seen them be a legitimate user, only bots. Also zgrab, ssh2js, ganymed, jsch, and granados to name a few more.
|
Anonymous |
Quote |
Mar 11th 2019 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!