Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Tuesday, August 4th 2015 http://isc.sans.edu/podcastdetail.html?id=4597

Your SSH Server On Port 8080 Is No Longer "Hidden" Or "Safe"

Published: 2015-08-03
Last Updated: 2015-08-03 11:51:12 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

I am seeing some scanning for SSH servers on port 8080 in web server logs for web servers that listen on this port. So far, I don't see any scans like this for web servers listening on port 80. In web server logs, the scan is reflected as an "Invalid Method" (error 501) as the web server only sees the banner provided by the SSH client, and of course can not respond.

For example:

222.186.21.180 - - [03/Aug/2015:08:31:55 +0000] "SSH-2.0-libssh2_1.4.3" 501 303 "-" "-"

This IP address in this example is for now the most prolific source of these scans:

inetnum:        222.184.0.0 - 222.191.255.255
netname:        CHINANET-JS
descr:          CHINANET jiangsu province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN

With very frequent scans for SSH servers, users often move them to an alternative port. I am not aware of a common configuration moving them to port 8080, but it is certainly possible that this has become somewhat a common "escape" port.

Please let us know if you have any details to fill in. Any other sources for these scans? Any reason why someone would use port 8080 for an ssh server? If you use an alternative port, one more "random" would certainly be better, in particular if the port is not in default port lists (like the one used by nmap).

As usual, hiding your SSH server on an off-port is good. But you ceratinly should still use keys, not passwords, to authenticate and follow other best practices in configuring and maintaining your SSH server.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
4 comment(s)
ISC StormCast for Monday, August 3rd 2015 http://isc.sans.edu/podcastdetail.html?id=4595

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Your Security Policy Is So Lame
2 days ago by Russell (2 comments)

Tech tip follow-up: Using the data Invoked with R's system command
3 days ago by Russ McRee (0 comments)

Tech tip: Invoke a system command in R
4 days ago by Russ McRee (0 comments)

Malicious spam continues to serve zip archives of javascript files
6 days ago by Brad Duncan (6 comments)

Android Stagefright multimedia viewer prone to remote exploitation
6 days ago by Rick (2 comments)

Guest Diary: Xavier Mertens - Integrating VirusTotal within ELK
6 days ago by Alex Stanford (2 comments)

froxlor Server Management Portal severe security issue
4 decades ago by Russ McRee (0 comments)

View All Diaries →

Latest Discussions

Systematic port scanning using a very set of IP addresses
created 1 week ago by RG (0 replies)

Fake BSOD used to scam end users
created 1 week ago by SSturby (0 replies)

Adobe releases Flash player 18.0.0.203 - addresses Flash vulnerability revealed in Hacking Team compromise
created 3 weeks ago by Brad Duncan (1 reply)

Can HPKP be used in persistent denial-of-service (DoS) attack on web sites?
created 4 weeks ago by Brad Duncan (0 replies)

Detecting lateral movement by NIDS/IPS (netcat or psexec)
created 1 month ago by DrGreen (2 replies)

View All Forums →

Latest News

View All News →