Hi
@hochd
Are you saying that you've found SSH brute force attempts to the alternate port that KH configures? Because I haven't seen any at all myself other than a few random attempts here and there...
Very interesting read, thanks!
No, as I understand that writeup, use of port 1234 happens only
after they have breached an ssh server through bruteforce (and then uploaded their own public key for return access). In my case, I have the ssh server set to key authentication-only, so password-based brute force attacks will never succeed. Hence, no alternate ports on my VPS. However I'm getting dozens of bruteforce attempts a day. I have csf configured to block for an hour after 5 of those attempts and then permblock after four of those cycles of five attempts.
However, I can report from my logs that the brute force attacks themselves take place on random high-numbered ports, which puzzles me because I didn't think ssh even listens on those ports, and the default firewall setup really excludes all but a few commonly used ports any way. The brute force attacks often (but not always) use what I suppose are common user names for services I don't even run like Oracle or Hadoop etc. I suppose they are looking for unmodified default passwords on services like that, and then once they break in, they're off to the crypto-mining races with their own configured public key and custom port.
Any way, KH support has confirmed for me that even with the firewall swatting away dozens of these a day, resource usage is negligible, so I'm trying not to worry about it. However, given the number of unpatched/sloppy installations out in the world, I would expect these attacks to continue to grow on some kind of exponential curve.