> However, please consider adding our scanner (71.6.151.167) to your "whitelist". We are well-known cyber-sec researchers, we aren't trying anything nefarious or evil, and we are being as transparent as possible about our scans.<p>Sure and while we are at it I'll fetch the lube.<p>I don't complain about port 22 connections because none of my machines run anything on port 22 (I move SSH to a random port mostly to deter whatever is coming out of China this week).<p>Even if you do find the port you still have to get around the ssh key's (so unless you are the NSA (j/k)), you could try an exploit against ssh but as it doesn't report its version good look with that and do try to avoid triggering fail2ban.<p>I'm not a systems administrator (I guess I'd be DevOps) but I know enough to know I don't know enough to disregard best practice.
People. Port knocking. Seriously. There are very few things that have come and gone in the almost 20 years that I have been securing systems and dealing with attacks, but port knocking is a substantive, Truly Good Thing.<p>Works for a lot of other ports too, but ssh is the obvious one.
Why do people think it's worthwhile to file abuse complaints about port 22 connections? If I wanted to file a complaint about every random connection to port 22 on one of my machines, it would be a full time job...
> Yesterday (Sept. 12) we scanned the entire Internet for port 22<p>> … result of 1,730,887 systems on the Internet … (Note: this is actually only 60% of the Internet<p>So there are only 2,884,811-ish machines on the internet?
OpenSSH 4.3 is likely the most popular because it is the version that comes with (redhat|centos|scientific|oracle) linux 5. It's still widely in use. 4.3 had a lot of bugs, but redhat has been backporting fixes to it since it came out.
I used to run SSH over some port != 22, does the trick to some degree.<p>After I picked up a Cisco ASA, went back to standard port 22 but only allow access for connected VPN users.<p>Of course if the ASA goes down, so does the entire network, yelp. SmartNET contract/warranty comes in handy, and the data center having backup ASAs on site for quick swap is pretty useful as well.
I run a VPS that only is only accessible over IPv6. I wonder if they'll ever scan it. Is there a way to narrow down the whole IPv6 search space to the most populated subranges?
I'm on a phone with shitty wifi atm so looking at the code would be hard to say the least. However, I am curious, how do you deal with packet loss?<p>The reason I'm asking is because, most people who claim to "scan the Internet" assume that the network is reliable. And they don't follow up on potential false negatives. If you scan the IPv4 address-space sequentially while only limiting bandwidth or time, rest assured that packets will be dropped.
if you're curious about your server keys:<p><pre><code> cd /etc/ssh
for pub in `ls -1 *.pub`; do ssh-keygen -l -f $pub; done
</code></pre>
[edit: sorry; thought no-one had replied. earlier i asked what i should worry about in ssh config. edit2: actually, i am using fail2ban.]
Reading through the source code, there's actually a reasonably well used goto (<a href="https://github.com/robertdavidgraham/masscan/blob/master/src/main-throttle.c" rel="nofollow">https://github.com/robertdavidgraham/masscan/blob/master/src...</a>)
If they are only hitting a port 22 a few times, who's wasting the ISP's time with abuse requests... I suppose its probably those guys with Class-A blocks and too much time on their hands.