Have you ever seen your sshd logs being clean without crowdsec or fail2ban while listening on 22/tcp with public IPv4?
At Skhron, all our customers benefit from our TCP tarpit system that detects global portscan:
Remarkably, this not only helps our customers but makes the entire Internet a bit more safe place - we automatically notify network owner about suspected device infection. This helps detect malware infection to cure it further.
IPv6 is widespread enough these days, just listen on TCP6, portscans are not feasible over such a large address space.
Script kiddies hate this one trick!
This will work unless IPv6 address is used to host any website with TLS - Censys and Onyphe AFAIK already use this heuristics to scan IPv6 addresses already
You don't need to bind sshd to the same IP as a webserver or anything else. There are gazillions of IP6's, scanning them all isn't feasible.
On most servers you get a /64, which is 18,446,744,073,709,551,616 IP6s. That's 18 quintillion.
My router gets hit with SSH attempts.
It's hilarious.
That and also people seemingly trying to fudge /cgi-bin/luci :-)
Btw, we share the list of IP addresses we have detected as performing an unsolicited TCP portscan here: https://otx.alienvault.com/pulse/66794486bda6c3cf8823c604
It is updated hourly
Oh, neat!
Prudent! Nice work
