I always wondered how the IPs like this 180.101.88.232 from this block:
ISP ChinaNet Jiangsu Province Network
Domain Name chinatelecom.com.cn
Continue to be the source of thousands of ssh password login attempts for years and years on end.
It's not a big deal, I use a tarpit on all ssh with 2FA on the one I use, but it seems ridiculous that some participants of the internet don't give a shit about the rest of the world.
Amusingly I recognize those IPs by that specific prefix as well, basically that entire /24 (at the very least) appears to be an absolutely massive source of the SSH login attempts.
It's not illegal to try to log in to an ssh server. Or many. Apart from that I think the map from the article is mostly matching the number of internet-connected devices per country/region. So I think you can replace "some" by "almost all" in your statement. I mean, find a vulnerable iot device, use it for scanning/botnet.
In what country? I suspect that given the intentions it would be a breach of the U.K. computer misuse act for example. Holding the perpetrator to the law is another matter of course.
Exactly. If I just nilly willy connect to your server, try a password and it works and I immediately disconnect, will that get me in trouble in the UK? That would be worrying.
The Theft Act 1968 defines theft as dishonest appropriation of “property belonging to another with the intention of permanently depriving the other of it” (and then waxes lyrical about what, exactly, that means: https://www.legislation.gov.uk/ukpga/1968/60/crossheading/de...). Just going by that law, I would say "it depends".
It is where I live. If I know your username and password, using those credentials knowing you didn't intend to share them would be a crime.
Of course, the probability of someone getting arrested for logging into your SSH server is as close to 0 as you can possibly get, but that doesn't make it legal.
Yes, I assumed it is an exit point of the great firewall or something like that, but they do so much packet inspection, they could easily block them. It's not like it's hard to see them.
The Great Firewall is about blocking Chinese citizens from accessing content the party doesn’t find palatable. Being a good neighbor to the rest of the world is out of scope for that project.
I run an N100 with LXD so I have a container running one of the many ssh tar pits and point 22 and a bunch other ports to it. It simulates an ssh login that very slowly sends ssh banner lines in the connection protocol, endlessly, until they disconnect.
It commonly thought that they do nothing, but they seem to keep TCP connections open for quite a long time. A assume a hand written scanning client could detect and mitigate the delay but it's going to hold open the sessions on the firewall exit on the other side. If there are enough of these maybe someone might do something.
Makes me smile when I look at the logs, that's enough for me.
Thanks. Yes, I have heard of such an approach, I did not know that it is called a tarpit. I just googled the idea and found Endlessh, I'll try it. Thank you.
ISP ChinaNet Jiangsu Province Network Domain Name chinatelecom.com.cn
Continue to be the source of thousands of ssh password login attempts for years and years on end.
It's not a big deal, I use a tarpit on all ssh with 2FA on the one I use, but it seems ridiculous that some participants of the internet don't give a shit about the rest of the world.