Comment by AndrewStephens
12 days ago
This is great. I run a server for my blog and can confirm idiotic bots continually hammer port 22. Sometimes I check my SSH logs just to see what is going on but I’ve never detected anything cleverer than trying common username/pw combinations.
It seems a little pointless, surely every server actually accepting SSH passwords has been 0wned year ago.
Even on a random port (well I picked port ___22) I get random SSH attempts.
My solution is convoluted: On my NAS I have a PHP form that accepts a password, when it's correct, set a flag (in the form of touching a file), and every minute a cronjob runs a bash script to check for the existence of the file: if it exists, then run a python script to talk UPnP to my home router to tell it to forward port ___22 to my NAS' port 22.
Hmm, probably running a VPN server, like WireGuard, makes more sense..
I have gotten what looks like SSH, TLS, HTTP, and other things, on various ports.
Another possible way would be port knocking. (I had previously set up port knocking on my HTTP server, but there seems to be a bug in the kernel (or in some driver) that prevents it from working correctly, so now the HTTP is not available. Using port knocking to restrict access to HTTP is probably not common, and might prevent your solution from being used if the form uses HTTP.)
I just disable SSH passwords and force using a certificate, which should be immune to bots barring some horrible unknown flaw in the ssh daemon.
Running over a VPN service would have the much the same effect.
I know, at some level, it seems crazy that the bots are spending so much time on this. However, there are plenty of machines on the Internet, and presumably most of these bots' machines were captured using this same technique.