DEV Community

RiversideRocks
RiversideRocks

Posted on

3 2

The Fixed Line Mystery...

A few days ago I deiced to open up my SSH to the internet. Possibly not the greatest idea, but I have a service set up to block brute force attempts and report unauthorized connections to AbuseIPDB. After a few days I started noticing some odd patterns.

Over the last few days, I have gotten a ton of break in attempts from "Fixed Line" ISPs (IPs being used by people's homes and possibly businesses). A good deal of these requests appear to be coming from smaller ISPs (to this date no requests have come from one of the biggest ISPs in the United States, Comcast), mostly from CenturyLink Communications LLC.

At first I thought that most of these attacks were from exploited hosts - IPs that have been hacked. A bot (possibly a person) brute forced a login page that was on the internet, and uploaded malware that lets the IP scan for more login pages, and the cycle continues creating a botnet. While some of the requests were likely just this, I noticed something odd. Most of the IPs had only 1 or 2 reports (one of them being mine). I was a bit confused at why I was one of the only reports, but then I came up with an interesting idea.

The Theory

Likely the malware inserted on to these IPs wasn't scanning the entire internet, instead it was scanning only residential CIDR blocks. My server's IP, which is a Comcast IP likely fell under one of the CIDR blocks. Most people choose to use web hosts instead of self hosting which would explain the few reports.

The Lesson

If it doesn't need to be on the internet, don't put it on the internet. If you are unsure if you have any router logins online, please do an Nmap scan of your IP.

For example:
nmap -sS 0.0.0.0

Stay safe!

AbuseIPDB - Riverside Rocks

My Website

Image of Docusign

Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

Top comments (3)

Collapse
 
javaarchive profile image
Raymond

"If it doesn't need to be on the internet, don't put it on the internet. If you are unsure if you have any router logins online, please do an Nmap scan of your IP."
lol, reminds me of people who expose their home assitant instances to the internet. I found a one or two with media control

Collapse
 
riversiderocks profile image
RiversideRocks

Even worse, the people who put security cameras on the internet.

Collapse
 
javaarchive profile image
Raymond

home assitant is usually connected to a lot of things, security/door cams included.
Have a look here home-assistant.io/integrations/

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay