My next class:

Your SSH Server On Port 8080 Is No Longer "Hidden" Or "Safe"

Published: 2015-08-03. Last Updated: 2015-08-03 11:51:12 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

I am seeing some scanning for SSH servers on port 8080 in web server logs for web servers that listen on this port. So far, I don't see any scans like this for web servers listening on port 80. In web server logs, the scan is reflected as an "Invalid Method" (error 501) as the web server only sees the banner provided by the SSH client, and of course can not respond.

For example:

222.186.21.180 - - [03/Aug/2015:08:31:55 +0000] "SSH-2.0-libssh2_1.4.3" 501 303 "-" "-"

This IP address in this example is for now the most prolific source of these scans:

inetnum:        222.184.0.0 - 222.191.255.255
netname:        CHINANET-JS
descr:          CHINANET jiangsu province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN

With very frequent scans for SSH servers, users often move them to an alternative port. I am not aware of a common configuration moving them to port 8080, but it is certainly possible that this has become somewhat a common "escape" port.

Please let us know if you have any details to fill in. Any other sources for these scans? Any reason why someone would use port 8080 for an ssh server? If you use an alternative port, one more "random" would certainly be better, in particular if the port is not in default port lists (like the one used by nmap).

As usual, hiding your SSH server on an off-port is good. But you ceratinly should still use keys, not passwords, to authenticate and follow other best practices in configuring and maintaining your SSH server.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
5 comment(s)
My next class:

Comments

Could this be just that, a misconfiguration of a port scanner ?

Why one would run it on 8080 is arguable since it could be used to mask the presence of this service. AFAIK it is most often used by Java Application Servers or a proxy service. Hence it would make sense to have it listen there if one wants to build an encrypted gateway out of the network.
I started running SSH on 443 mostly because of a hotel I was staying at that blocked port 22 outbound.
You will find that ISP's in some countries, universities and even some Hotels will block outbound traffic to port 22. But will allow TCP traffic to port 80, 8080, 443, etc.... Usually this occurs on guest wifi networks.

So some organizations that use SSH have gone to using some of these ports for SSH servers. This is not an effort to hide the servers but as a method to get past overly restrictive firewall policies that their remote users may run into.

Just google on "hotel blocks ssh" and you will find that its a common occurrence and there are tons of articles talking about running SSH on other ports.
If I want to hide my SSH instances; I would use port knocking.

Or specifically: fwknop.
I can't offer much in the way of details but I'm seeing it too. Currently DPT 8080 is the second highest ranking DPT on my honeypot with 1,040 hits in the last 30 days. I've got 19 hits from hosts in 222.186.0.0/16 with the first in the middle of July, along with standard ports (1433, 3306 etc) as well as other SSH 'looking' ports (2222, 2222 and 222 all appear in the top 10 by hits from this range). I'm now seeing repeat hits from IPs in the range, interestingly with the same SPT (6000). I'm not seeing much in the way of corresponding web requests from IPs in the same range, just two "GET /manager/html HTTP1/1.1".

Diary Archives