Running SSH on Port 22 vs 2222

Running SSH on Port 22 vs 2222

So I host a SSH server Honeypot on my public IP and I thought to myself - How big a difference is running the service on port 22 vs 2222. Is this single step a big enough hurdle to consider it better?

And of course, like everything else in my life, I did an experiment of exactly that and gathered some data. Here are my results!

Initial Results. 100% drop for a few days!

Just after the transition, there were no new connections. That is expected, as no bot or database is now aware about the new port. However at the end of 15th Aug, there is spike, and we're back on the radar!

You can see number of connections tracking up slowly within 4th day!

By Day 4, we're getting a constant stream of new attempt. However this is not as big as before, but I'm sure the number will climb up. But to match the original resilience of bots, we'll need a bit more time. For a bit more holistic view, have a look at the graph here.

Please ignore my bad handwriting.

We can see that the number of connections is slowly rising. Whatever the trend is. I'll repost along this after sometime, since the previous port and IP were alive for more than almost a year. However it does prove that hiding to such an obvious secondary port won't work. No surprises there! 🤷‍♂️

After a month of changing the port, the results are here. It cannot be more obvious.

On the left was the previous SSH crawling. On the right port 2222 is rediscovered and is bombarded with requests.

Subscribe to Prakhar Shukla

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.