Last Updated: 2015-08-03 11:51:12 UTC
by Johannes Ullrich (Version: 1)
I am seeing some scanning for SSH servers on port 8080 in web server logs for web servers that listen on this port. So far, I don't see any scans like this for web servers listening on port 80. In web server logs, the scan is reflected as an "Invalid Method" (error 501) as the web server only sees the banner provided by the SSH client, and of course can not respond.
220.127.116.11 - - [03/Aug/2015:08:31:55 +0000] "SSH-2.0-libssh2_1.4.3" 501 303 "-" "-"
This IP address in this example is for now the most prolific source of these scans:
inetnum: 18.104.22.168 - 22.214.171.124 netname: CHINANET-JS descr: CHINANET jiangsu province network descr: China Telecom descr: A12,Xin-Jie-Kou-Wai Street descr: Beijing 100088 country: CN
With very frequent scans for SSH servers, users often move them to an alternative port. I am not aware of a common configuration moving them to port 8080, but it is certainly possible that this has become somewhat a common "escape" port.
Please let us know if you have any details to fill in. Any other sources for these scans? Any reason why someone would use port 8080 for an ssh server? If you use an alternative port, one more "random" would certainly be better, in particular if the port is not in default port lists (like the one used by nmap).
As usual, hiding your SSH server on an off-port is good. But you ceratinly should still use keys, not passwords, to authenticate and follow other best practices in configuring and maintaining your SSH server.