It seems that the new “thing” on the internet these days is port scanning for port 22 (aka SSH). I was going through my firewall logs on my home router and over the last week or so, it is broken down as follows:
| country | cnt |
|---|---|
| China | 2123 |
| Germany | 1827 |
| Italy | 1460 |
| United States | 1115 |
| Russian Federation | 838 |
| Korea, Republic of | 738 |
| Austria | 692 |
| Poland | 618 |
| Spain | 502 |
| Colombia | 453 |
| India | 441 |
| Czech Republic | 323 |
| Ecuador | 286 |
| Romania | 282 |
| Belgium | 256 |
| Chile | 228 |
| Panama | 201 |
| Pakistan | 199 |
| France | 198 |
| Argentina | 170 |
| Canada | 148 |
| Switzerland | 138 |
| Ukraine | 129 |
| Taiwan | 128 |
| Venezuela | 111 |
| Mexico | 111 |
| Denmark | 105 |
| Hungary | 101 |
| Slovenia | 87 |
| Brazil | 77 |
| Guatemala | 59 |
| Uruguay | 53 |
| Estonia | 50 |
| Croatia | 48 |
| Singapore | 36 |
| Australia | 32 |
| Portugal | 32 |
| Hong Kong | 29 |
| Greece | 25 |
| New Zealand | 24 |
| Ireland | 18 |
| Netherlands | 17 |
| Serbia | 15 |
| United Kingdom | 13 |
| South Africa | 12 |
| Malaysia | 9 |
| Thailand | 8 |
| Peru | 7 |
| Moldova, Republic of | 6 |
| Azerbaijan | 3 |
| Turkey | 2 |
| Malta | 1 |
| Total | 14585 |
As a comparison, attempts that were blocked that weren’t ssh only totaled 1430. So are these bot’s or people looking for rogue iPhone’s or just trying to find new vulnerabilities in SSH? The interesting thing is it appears that each source IP tries 3 times. The second try is 3 seconds after the first and the third is 6 seconds after the second.
An interesting IP is 217.70.139.42, which has tried 303 times since the 14th. The IP is from Germany and also appears on several SSH dictionary attacks. So is it time to start running services on non-standard ports?