We’re always told that the internet is a very dangerous place, but that is a very abstract threat. I have often found myself in a position where I tell people that the internet is dangerous, but I have no real data to back this up.

Therefore, my latest project was a deep dive into trying to figure out, for myself, how likely I was to get attacked if I had a server open to the internet. I know that it’s not a matter of ‘if’, but of ‘when’, but I wanted to quantify the ‘when’ as well as the ‘what’.

The Plan

My plan has 3 phases. Generally, I am going to use an SSH (Secure Shell) server to act as a honeypot to lure in attackers. SSH is the black terminal window that people associate with Linux (and Jurassic Park).

SSH uses a server that listens usually on port 22, and when you log into a Linux server, you’re often using that.

So my plan is:

1. Determine the general external threat: what is my router blocking?
2. Determine the time it takes for a slightly hidden server that has an ssh port forwarded to it to come under direct attack
3. Profile the attack on ssh to see how the attack takes place.

Phase 1: External Threats

To find out what was happening outside my router, I set my router to log all blocks, and ship them to my new logging system. After some complex configuration (that I’ll write about in a more technical article), it lands on a in an ElasticSearch store and I built a nice dashboard in Kibana.

Here is what I found. The data is from yesterday, January 4th 2019:

Yesterday, my external dashboard reported 4,853 separate blocks to my external firewall interface, from 76 countries. Obviously, this is alarming. Half of the world’s countries attacked me personally yesterday. Half. Think about that. The internet as I mentioned before, is a free-for-all, and many, many people are gunning for you.

Where Are The Attacks Coming From?

I used the elasticsearch’s feature for mapping IP addresses to locations for the IP addresses that are attacking me, and here is a map of where the attacks are coming from.

As you can see, there are many countries (including my own) that are constantly probing my external IP Address. Some are very, very egregious, and I think that pretty much all of them are trying to hack into my home network.

As you can see, you have a variety of countries where there is more tolerant legal restrictions on this sort of things, countries where the line between government and hacker is blurred, and countries that are actively involved in hacking the US. Either way, it’s important to realize that they aren’t trying to hack ‘the country’. They are trying to hack YOU.

What Are they Attacking?

Every server on the internet can have between 0 and 65535 ports open, and each port is generally used for one thing. A firewall will prohibit or allow certain port traffic from reaching your server. Each service (a thing a server does) tends to use a standard port. Below you’ll see the breakdown of ports that are being scanned.

 

I think that there is very likely a correlation between the ports being scanned and their likelihood of being open. Thus, this chart tells us two things: there are still lots of people doing very dangerous things on things internet, and most of these can be very easily remediated.

The first one is port 23. Port 23 is used by the Telnet protocol,  a very old (1969) protocol for un-encrypted logins to Linux and Unix servers. It’s stil in use, but you should not use it. Often, the older the protocol, the more likely it’s running on an old or forgotten machine, and is a huge security vulnerability.

The next one, port 1433, is pretty awesome (in a bad way). It’s Microsoft SQL server, and since it’s being scanned, you know there are companies that have SQL server open to the internet. For the homeowner with a network, this is irrelevant; you probably don’t have this. But the suggestion is that there are still companies out there where you can plug directly into their databases from the internet. You read about this in the news, it ends poorly.

Port 8545 is where you can witness attempted crime in progress. 8545 is used by Ethereum clients that are exposed inadvertently to the internet. What is happening with these scans is that hackers are trying to connect to other peoples’ Ethereum wallets and steal their cryptocurrency. You also read about this in the news.

You can google the rest of the ports if you’d like. It paints a scary picture.

Conclusion and Next Steps

Now that I can characterize the threat, I want to see what happens when SSH gets attacked itself. I get a log of all access activity in the morning each day, and one day a while back the log was huge and filled with login failures. What had happened was that I had left an ssh server exposed on a random port, and someone had found it, and was trying username and password combinations. I want to try it in a controlled situation so I can see how long it takes to find my server.

So now I have a small SSH server parked on a different port, and I’ll report on how long it takes to find and start to try and get in, and what form that attack takes.

Overall, three are a few takeaways. First, never open ports (unless you know what you are doing). It’s very dangerous. Second, take a hard look at who is attacking us, and what country your equipment comes from. Now, the Seychelles don’t have much of an IT industry, but China does. And there is a lot debate whether you should be buying Chinese hardware, given that it’s often hard to tell where the government stops and where private industry starts. Hint: in communism there is only the goverment. So the debate on whether to use say, buy Huawei or Kaspersky has to be considered alongside the fact that both of their host countries appear to be trying to attack you.

What I’m listening to as I do this: Gamma Ray’s Land Of The Free.  I love  this album, and especially the song ‘Land Of The Free’. Gamma Ray is a German Melodic Heavy Metal band that is simply epic, and their guitarist, Kai Hansen, is an excellent vocalist as well. I’ve seen them live twice or thrice, and they are great.