DEV Community

loading...

The Fixed Line Mystery...

RiversideRocks
Web Developer
・2 min read

A few days ago I deiced to open up my SSH to the internet. Possibly not the greatest idea, but I have a service set up to block brute force attempts and report unauthorized connections to AbuseIPDB. After a few days I started noticing some odd patterns.

Over the last few days, I have gotten a ton of break in attempts from "Fixed Line" ISPs (IPs being used by people's homes and possibly businesses). A good deal of these requests appear to be coming from smaller ISPs (to this date no requests have come from one of the biggest ISPs in the United States, Comcast), mostly from CenturyLink Communications LLC.

At first I thought that most of these attacks were from exploited hosts - IPs that have been hacked. A bot (possibly a person) brute forced a login page that was on the internet, and uploaded malware that lets the IP scan for more login pages, and the cycle continues creating a botnet. While some of the requests were likely just this, I noticed something odd. Most of the IPs had only 1 or 2 reports (one of them being mine). I was a bit confused at why I was one of the only reports, but then I came up with an interesting idea.

The Theory

Likely the malware inserted on to these IPs wasn't scanning the entire internet, instead it was scanning only residential CIDR blocks. My server's IP, which is a Comcast IP likely fell under one of the CIDR blocks. Most people choose to use web hosts instead of self hosting which would explain the few reports.

The Lesson

If it doesn't need to be on the internet, don't put it on the internet. If you are unsure if you have any router logins online, please do an Nmap scan of your IP.

For example:
nmap -sS 0.0.0.0

Stay safe!

AbuseIPDB - Riverside Rocks

My Website

Discussion (4)

Collapse
javaarchive profile image
Raymond

"If it doesn't need to be on the internet, don't put it on the internet. If you are unsure if you have any router logins online, please do an Nmap scan of your IP."
lol, reminds me of people who expose their home assitant instances to the internet. I found a one or two with media control

Collapse
riversiderocks profile image
RiversideRocks Author

Even worse, the people who put security cameras on the internet.

Collapse
javaarchive profile image
Raymond

home assitant is usually connected to a lot of things, security/door cams included.
Have a look here home-assistant.io/integrations/

Collapse
zoedreams profile image
☮️✝️☪️🕉☸️✡️☯️

thats war ip dialer bots. They scan the vast wildwest of the internet looking for ports to add to databases people use to attack. I would strongly recommend blocking port 21 and 22 on your firewall and reroute using some custom one, and shut it off when your not using it. and recycle your email and save the whales.