So I host a SSH server Honeypot on my public IP and I thought to myself - How big a difference is running the service on port 22 vs 2222. Is this single step a big enough hurdle to consider it better?
And of course, like everything else in my life, I did an experiment of exactly that and gathered some data. Here are my results!
Just after the transition, there were no new connections. That is expected, as no bot or database is now aware about the new port. However at the end of 15th Aug, there is spike, and we're back on the radar!
By Day 4, we're getting a constant stream of new attempt. However this is not as big as before, but I'm sure the number will climb up. But to match the original resilience of bots, we'll need a bit more time. For a bit more holistic view, have a look at the graph here.
We can see that the number of connections is slowly rising. Whatever the trend is. I'll repost along this after sometime, since the previous port and IP were alive for more than almost a year. However it does prove that hiding to such an obvious secondary port won't work. No surprises there! 🤷♂️
After a month of changing the port, the results are here. It cannot be more obvious.