New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What is your most abused port?
impossiblystupid
Member
After seeing yet another provider slapping a blanket ban on port 25, I got to wondering what the stats were on the incoming abuse that I saw. I handily have my fail2ban logs from all of 2016, so I can report (seems LET Markdown isn't happy about tables, so):
port | percentage
----: | :----------
22 | 59.86
25 | 17.21
80+443 | 22.93
Seems to me that a provider serious about playing nice would be more restrictive of outgoing ssh connections. Does anybody have similar stats that show email is still a serious form of abuse?
Comments
port 80 and 22
21/22/80
3306
Incoming its ssh, however outgoing would be 25.
My "possible double entendres" meter is pegged.
Incoming? 22.
I'm at the point that I'm just going to move ssh from port 22. You move it higher than 1k, and the automated scanners/trivial script kiddies tend to go away. Port 32767 works well.
Which is the 'stoma' port?
Its basically one of the first things I do. Move ssh from port 22 to a different one. Practically never get failed login attempts.
Yeah, but setting up PF or installing fail2ban/sshguard gives you an excuse for it to be idling, because it isn't just idling.. or something.
I would say port 80 because of all the attacks I've gotten over the years. And next would probably be 3306.
22 but I pretty much change my port 99.9% of the time on whatever I run.
In our network, the most abused ports are:
21 - ftp / 22 - ssh / 23 - telnet / 80/443 - http / 3389 - remote desktop / 1080 - socks / 3728 - squid proxy
We receive around 25K+ port connection events per day, from unauthorized addresses which the customers aren't expecting it from. (We catch all of it through sflow sampling).
I thought so when I posted, too, but Nekki is busy on the cert thread.
I don't change default ports on any of my services because I want to be able to know which networks are coming in looking to abuse me. I get that not everybody cares about that, but I'm always on the lookout for patterns that warrant a larger /16 or even /8 ban.
I used to do this too, but upon further investigation it turned out that a lot of IPs I would ban were being spoofed anyway so it was somewhat pointless for me.
Spoofing does not work that way at the service level.
If you preemptively block third world countries, it takes it down about 98%.
Funny how times change. When I talked about changing ssh away from 22 a year or two ago I was ridiculed and told "security by obscurity is no security". But of course it worked nicely.
Today I see quite many of my former "smart wannabe teachers" happily telling how they changed away from 22 ...
As for 3306 - people using mysql and then on a public port should have their servers be brought down, hehe.
I see some abuse from less developed countries, but China, Russia, Ukraine, and South Korea are the only 4 that have hit me so much that I have considered pre-banning all their IP addresses. Still, I can't bring myself to cut off anyone until they try to start some shit. If that line gets crossed, though, I'm more than happy to drop a whole /8 into the firewall if it looks like a poorly managed network range.
Ahem.
My bumhole.
Seriously though, all my fail2ban logs are empty, so apparently no-one knows my servers exist.
@Nekki
Is your sister blind? I'm asking because my experiences with non-blind women are rather unpleasant.
Alternatively: Does your sister like men with bags over their head?
The old slag ain't fussy, tbh.
Using cert login. And most of incoming are proxied.
My server live in isolated world.
I use to change (like others, it seems) the SSH port to avoid all that noise and sometimes I drop traffic for that port in iptables (raw table)... on one pretty exposed VPS I've checked few moments ago it dropped 331K pkts this January only (~33M bytes). Offending ips are almost invariably Chinese/Taiwanese, Russian/Ukrainian or Brazilian; sometimes from South Korea. There are some offending servers from Eastern Europe as well (Romania and Bulgaria). Using the "recent" module I keep dropping them for a while (since they almost invariably keep hitting for ports 20-25 plus many others like 3306, 3389 and ports known to be used by some malware). If they keep hitting for hours they are logged separately and on manual inspection I may block the entire asnum (usually, it's a Chinese one). For ports 80 and 443 SYNPROXY (among other things) works well. Other ips are dropped with ipset, in a firehol (but a little different) fashion.