When I first got into self hosting, I originally wanted to join the Fediverse by hosting my own instance. After realizing I am not that committed to that idea, I went into a simpler direction.
Originally I was using Cloudflare’s tunnel service. Watching the logs, I would get traffic from random corporations and places.
Being uncomfortable with Cloudflare after pivoting away from social media, I learned how to secure my device myself and started using an uncommon port with a reverse proxy. My logs now only ever show activity when I am connecting to my own site.
Which is what lead me to this question.
What do bots and scrapers look for when they come to a site? Do they mainly target known ports like 80 or 22 for insecurities? Do they ever scan other ports looking for other common services that may be insecure? Is it even worth their time scanning for open ports?
Seeing as I am tiny and obscure, I most likely won’t need to do much research into protecting myself from such threats but I am still curious about the threats that bots pose to other self-hosters or larger platforms.
You must log in or # to comment.
Read up on shodan.io. bot networks and scrapers can use the database as a seed to find open ports.
The cli massscan can (under reasonable conditions) scan the the entire ipv4 address space for a single port in 3 minutes. It would take an estimated 74 years for massscan to scan all 64k ports for the entire ipv4 network.
So, using a seed like shodan, can compliment scanners/scrapers to isolate ip addresses to further recon.
I honestly don’t know if this helps your question, I don’t actually know how services in general deal with nonstandard ports, but I’ve written a lot of scanning agents (not ai, old school agents) to recon for red/blue teams. I never started with raw internet guesses, I always used a seed. Shodan, or other scan results.
You can meaningfully portscan the entire internet in a trivial amount of time. Security by obscurity doesn’t work. You just get blindsided. Switching to a non-standard port cleans the logs up because most of the background noise targets standard ports.
It sounds like you’re doing alright so far. Trying not to get got is only part of the puzzle though. You also ought to have a backup and recovery strategy (one tactic is not a strategy). Figuring out how to turn worst-case scenarios into solvable annoyances instead of apocalypse is another (and almost equally as important). If you’re trying to increase your resiliency, and if your Disaster Recovery isn’t fully baked yet, then I’d toss effort that way.
Exactly. Using nonstandard ports will clean up the logs a bit though, but an actual attacker doesn’t care what ports you use.
Yes, they do. Most just search the common ports, but some scan all.
Being tiny and obscure doesn’t mean they won’t find you, it might just take longer.
There is no hiding in that sense. Bots will scan all IPs on all ports over time.
Will it be less on nonstandard ports? Likely. Will it matter? Not really, the attack vectors would be exactly the same.
Secure your systems and running on default or nonstandard ports won’t be an issue.
Given enough time, yes. Just look at shodan.
There are a few very simple things that don’t improve security per se but help break the onslaught. One of them would be to not use standard ports for ssh etc. Another could be to use non-standard usernames (not “admin”). Or rename URLs from the standard “admin.php” or “/contact” to something else.
When I used to have SSH on a nonstandard port, I got login failures from bots. It really depends on the bot and how aggressive they have set it up.
Moving your port over to a nonstandard one is not a solution (unless the problem you experience is too many logs from sshd, and even then, logrotate exists), its security by obscurity which doesn’t really solve anything at all. Only way your server will be safe is by ensuring the packages on your server are up to date and that you harden it to the point where it isn’t too much of nuisance.
Some attackers check services that have already cataloged the services you are running, even on uncommon ports. You won’t hear from them unless you are running a potentially vulnerable service.
