Your SSH Server On Port 8080 Is No Longer "Hidden" Or "Safe"
I am seeing some scanning for SSH servers on port 8080 in web server logs for web servers that listen on this port. So far, I don't see any scans like this for web servers listening on port 80. In web server logs, the scan is reflected as an "Invalid Method" (error 501) as the web server only sees the banner provided by the SSH client, and of course can not respond.
For example:
222.186.21.180 - - [03/Aug/2015:08:31:55 +0000] "SSH-2.0-libssh2_1.4.3" 501 303 "-" "-"
This IP address in this example is for now the most prolific source of these scans:
inetnum: 222.184.0.0 - 222.191.255.255 netname: CHINANET-JS descr: CHINANET jiangsu province network descr: China Telecom descr: A12,Xin-Jie-Kou-Wai Street descr: Beijing 100088 country: CN
With very frequent scans for SSH servers, users often move them to an alternative port. I am not aware of a common configuration moving them to port 8080, but it is certainly possible that this has become somewhat a common "escape" port.
Please let us know if you have any details to fill in. Any other sources for these scans? Any reason why someone would use port 8080 for an ssh server? If you use an alternative port, one more "random" would certainly be better, in particular if the port is not in default port lists (like the one used by nmap).
As usual, hiding your SSH server on an off-port is good. But you ceratinly should still use keys, not passwords, to authenticate and follow other best practices in configuring and maintaining your SSH server.
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
Why one would run it on 8080 is arguable since it could be used to mask the presence of this service. AFAIK it is most often used by Java Application Servers or a proxy service. Hence it would make sense to have it listen there if one wants to build an encrypted gateway out of the network.
Anonymous
Aug 3rd 2015
9 years ago
Anonymous
Aug 3rd 2015
9 years ago
So some organizations that use SSH have gone to using some of these ports for SSH servers. This is not an effort to hide the servers but as a method to get past overly restrictive firewall policies that their remote users may run into.
Just google on "hotel blocks ssh" and you will find that its a common occurrence and there are tons of articles talking about running SSH on other ports.
Anonymous
Aug 3rd 2015
9 years ago
Or specifically: fwknop.
Anonymous
Aug 3rd 2015
9 years ago
Anonymous
Aug 4th 2015
9 years ago