While playing around with the builtin firewall logging on my wireless router, I decided to pull out my logs and parse all the failed attempts at exploit/scanning activity to find out the most popular ports for scanning activity. These ports should be avoided if at all possible when opening services to the internet -- for instance, configure SSH to listen on a random lesser known port like 9555 to avoid constant brute force and exploit attempts against your SSH server instead of the default of 22. The following stats cover the last 30 days on my home internet connection and are sorted by the frequency of occurrence. Out of the top 10, I pick out telnet, sql, ssh, sip, upnp, rdp, and http. By just changing these default ports(if you have to open these services to the internet at all), one could significantly reduce their attack surface from mass scans.
| Hits 514 |
Port 23 |
| 183 | 1433 |
| 135 | 22 |
| 70 | 5060 |
| 37 | 2323 |
| 34 | 1900 |
| 26 | 3389 |
| 25 | 80 |
| 24 | 8080 |
| 20 | 81 |
| 16 | 3306 |
| 16 | 9000 |
| 14 | 0 |
| 12 | 7547 |
| 11 | 123 |
| 11 | 21 |
| 6 | 2222 |
| 6 | 443 |
| 5 | 3388 |
| 5 | 3390 |
| 5 | 53 |
| 5 | 8081 |
| 4 | 111 |
| 4 | 3392 |
| 4 | 5038 |
| 4 | 5900 |
| 3 | 161 |
| 3 | 3393 |
| 3 | 3395 |
| 3 | 3398 |
| 3 | 4028 |
| 3 | 6379 |
| 3 | 8888 |
| 2 | 110 |
| 2 | 1434 |
| 2 | 1723 |
| 2 | 19 |
| 2 | 25 |
| 2 | 3128 |
| 2 | 3327 |
Comments
Post a Comment