So I was reading 𝕏 and came across one of those memes showing “Chinese bots” making connections to “open” SSH ports to Internet accessible servers. The suggestion to turn off password authentication in favour of public/private key authentication was certainly a sensible suggestion (on a very simplistic level it effectively makes a very strong “password”).
But the “Chinese bots” thing sort of irritated me a bit, so I decided to trawl my personal firewall logs looking for attempts to connect to my ssh port(s). Even ignoring the IPv6 probes, there were 1251 different addresses probing my network (just one public IPv4 address) in the months of March so far.
Why is this irritating? Because the addresses of the machines attempting to break into a non-existent ssh service here are those of compromised machines. They may be in China, or the USA, Russia, etc. but that in no way betrays who is controlling those “bots”.
Anyway, for some data :-
| Count | Country |
|---|---|
| 502, | US USA 840 United States |
| 128, | CN CHN 156 China |
| 97, | KR KOR 410 Korea, Republic of |
| 33, | SG SGP 702 Singapore |
| 27, | BG BGR 100 Bulgaria |
| 26, | RU RUS 643 Russian Federation |
| 22, | HK HKG 344 Hong Kong |
| 22, | GB GBR 826 United Kingdom |
| 20, | DE DEU 276 Germany |
| 16, | SE SWE 752 Sweden |
And “China” isn’t even in the lead in this case! I have included just the top 10 as a long list of random countries with one or two robots isn’t very enlightening.
The key point here is that the national identity of the compromised host attacking tells you nothing about where the true attacker is from. Russia is quite a likely candidate given it’s status as a rogue nation with a known tolerance for cyber criminals (as long as they co-operate with the state when the state needs their skills), but that is just background knowledge.