- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
SSH abuse on port 22
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I host a server behind my router and have port 22 forwarded so that I can SSH to the server. I noticed a couple days ago that I couldn't connect and after some troubleshooting decided to look at the router log.
I noticed a large number of log entries like this:
[LAN access from remote] from [IP AND PORT] 192.168.1.230:22
I took my server offline and removed all forwarded ports.
I then reviewed the logs again and it contained no entries like above, just the usual Chargen, RST Scans, etc... which from what I've read are pretty normal.
To test if the issue would reappear, I forwarded a port to a machine that doesn't exist on my local network and reviewed the logs again just shortly after setting it up. The result was that entries like the one above started showing up again from a variety of different addresses and ports. I have removed the addresses from here, but some of the same ones keep showing up:
[LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 11:58:06 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 11:58:06 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 11:42:08 [DoS Attack: TCP/UDP Chargen] from source: [IP], port [PORT], Wednesday, October 31,2018 11:35:07 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 11:34:20 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 11:26:09 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 11:16:27 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 11:12:18 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 11:08:46 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 11:08:23 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 11:06:34 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 11:06:20 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 11:01:49 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 10:56:17 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 10:49:53 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 10:43:19 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 10:39:00 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 10:38:01 [LAN access from remote] from [IP AND PORT] 192.168.1.242:22, Wednesday, October 31,2018 10:36:01
So I have a few questions:
- Is this normal for networks that have port 22 open for SSH?
- Is it likely someone is targeting my network or machine?
- Could this open port have been discovered via a port scan?
- Is it likely this is the reason I couldn't connect to my server?
- If so, are there steps I can take to block this kind of activity?
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> I host a server behind my router and have port 22 forwarded so that I
> can SSH to the server. [...]
You need to forward _some_ external port to port 22 on your server.
Using some external port other than 22 for that might amaze you by the
drop in the number of unwanted connection attempts you'll see.
> Is this normal for networks that have port 22 open for SSH?
That's been my experience.
> Is it likely someone is targeting my network or machine?
It's likely that many ones are trying every network on the Internet.
> Could this open port have been discovered via a port scan?
Sure, but many/most such attacks simply try port 22.
> Is it likely this is the reason I couldn't connect to my server?
I know nothing about that problem.
Years ago, I tried using external port 22. Big mistake. Complaining
to ISPs of offenders could easily be a full-time (unpaid) occupation.
Moved to external port 22 + N * 100, and get a few attempts per year.
"-p <port_number>" is your friend.
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> I host a server behind my router and have port 22 forwarded so that I
> can SSH to the server. [...]
You need to forward _some_ external port to port 22 on your server.
Using some external port other than 22 for that might amaze you by the
drop in the number of unwanted connection attempts you'll see.
> Is this normal for networks that have port 22 open for SSH?
That's been my experience.
> Is it likely someone is targeting my network or machine?
It's likely that many ones are trying every network on the Internet.
> Could this open port have been discovered via a port scan?
Sure, but many/most such attacks simply try port 22.
> Is it likely this is the reason I couldn't connect to my server?
I know nothing about that problem.
Years ago, I tried using external port 22. Big mistake. Complaining
to ISPs of offenders could easily be a full-time (unpaid) occupation.
Moved to external port 22 + N * 100, and get a few attempts per year.
"-p <port_number>" is your friend.
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more