{"id":6389,"date":"2024-04-01T15:56:10","date_gmt":"2024-04-01T15:56:10","guid":{"rendered":"https:\/\/really.zonky.org\/?p=6389"},"modified":"2024-04-01T15:56:12","modified_gmt":"2024-04-01T15:56:12","slug":"ssh-and-the-chinese-bots","status":"publish","type":"post","link":"https:\/\/really.zonky.org\/?p=6389","title":{"rendered":"SSH And The &#8220;Chinese Bots&#8221;"},"content":{"rendered":"\n<p>So I was reading \ud835\udd4f and came across one of those memes showing &#8220;Chinese bots&#8221; making connections to &#8220;open&#8221; SSH ports to Internet accessible servers. The suggestion to turn off password authentication in favour of public\/private key authentication was certainly a sensible suggestion (on a very simplistic level it effectively makes a <em>very<\/em> strong &#8220;password&#8221;).<\/p>\n\n\n\n<p>But the &#8220;Chinese bots&#8221; thing sort of irritated me a bit, so I decided to trawl my personal firewall logs looking for attempts to connect to <em>my<\/em> ssh port(s). Even ignoring the IPv6 probes, there were 1251 different addresses probing my network (just one public IPv4 address) in the months of March so far.<\/p>\n\n\n\n<p>Why is this irritating? Because the addresses of the machines attempting to break into a non-existent ssh service here are those of compromised machines. They may be in China, or the USA, Russia, etc. but that in no way betrays <em>who is controlling those &#8220;bots&#8221;<\/em>.<\/p>\n\n\n\n<p>Anyway, for some data :-<\/p>\n\n\n\n<table>\n<tr><th>Count<\/th><th>Country<\/th><\/tr>\n<tr><td>502,<\/td><td>US\tUSA\t840\tUnited States<\/td><\/tr>\n<tr><td>128,<\/td><td>CN\tCHN\t156\tChina<\/td><\/tr>\n<tr><td>97,<\/td><td>KR\tKOR\t410\tKorea, Republic of<\/td><\/tr>\n<tr><td>33,<\/td><td>SG\tSGP\t702\tSingapore<\/td><\/tr>\n<tr><td>27,<\/td><td>BG\tBGR\t100\tBulgaria<\/td><\/tr>\n<tr><td>26,<\/td><td>RU\tRUS\t643\tRussian Federation<\/td><\/tr>\n<tr><td>22,<\/td><td>HK\tHKG\t344\tHong Kong<\/td><\/tr>\n<tr><td>22,<\/td><td>GB\tGBR\t826\tUnited Kingdom<\/td><\/tr>\n<tr><td>20,<\/td><td>DE\tDEU\t276\tGermany<\/td><\/tr>\n<tr><td>16,<\/td><td>SE\tSWE\t752\tSweden<\/td><\/tr>\n<\/table>\n\n\n\n<p>And &#8220;China&#8221; isn&#8217;t even in the lead in this case! I have included just the top 10 as a long list of random countries with one or two robots isn&#8217;t very enlightening. <\/p>\n\n\n\n<p>The key point here is that the national identity of the compromised host attacking tells you <em>nothing<\/em> about where the true attacker is from. Russia is quite a likely candidate given it&#8217;s status as a rogue nation with a known tolerance for cyber criminals (as long as they co-operate with the state when the state needs their skills), but that is just background knowledge. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>So I was reading \ud835\udd4f and came across one of those memes showing &#8220;Chinese bots&#8221; making connections to &#8220;open&#8221; SSH ports to Internet accessible servers. The suggestion to turn off password authentication in favour of public\/private key authentication was certainly a sensible suggestion (on a very simplistic level it effectively makes a very strong &#8220;password&#8221;). <a href='https:\/\/really.zonky.org\/?p=6389' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false,"_share_on_mastodon":"0"},"categories":[4,489,226],"tags":[28,2220,639,780],"class_list":["post-6389","post","type-post","status-publish","format-standard","hentry","category-it","category-security","category-working-notes","tag-china","tag-chinese","tag-russia","tag-ssh","category-4-id","category-489-id","category-226-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"share_on_mastodon":{"url":"https:\/\/mstdn.social\/@grumpygrimnir\/112196778142737106","error":""},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1f2KI-1F3","_links":{"self":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/6389","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6389"}],"version-history":[{"count":5,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/6389\/revisions"}],"predecessor-version":[{"id":6395,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/6389\/revisions\/6395"}],"wp:attachment":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}