<![CDATA[SSH - Shodan Blog]]>https://blog.shodan.io/Ghost 0.7Fri, 10 Apr 2026 09:32:34 GMT60<![CDATA[Hiding in Plain Sight]]>A common reaction I get when talking about devices exposed on the Internet is something like the following:

Specifically, the idea that running the service (in this case Minecraft) on a non-standard port is a good way to stay hidden. In security circles this is also known as the concept

]]>https://blog.shodan.io/hiding-in-plain-sight/2abb6390-8107-43e6-a3a9-8bdaf111523bSun, 29 Mar 2015 06:42:43 GMT

A common reaction I get when talking about devices exposed on the Internet is something like the following:

Hiding in Plain Sight

Specifically, the idea that running the service (in this case Minecraft) on a non-standard port is a good way to stay hidden. In security circles this is also known as the concept of security by obscurity, and it's considered a largely ineffective, deprecated idea. What's worse is that it might give you the owner of the server/ device a false sense of security. For example, lets take a look at people running OpenSSH on a non-standard port (i.e. "product:openssh -port:22"):

Hiding in Plain Sight

The top 10 non-standard ports for OpenSSH are:

  1. 2222
  2. 5000
  3. 23
  4. 9999
  5. 26
  6. 666
  7. 2323
  8. 5555
  9. 4444
  10. 10001

These numbers don't look that random to me... Right away you should realize that your random choice of non-standard port might not be so unique. Port 2222 is popular the same way that HTTP on port 8080 is popular, and it's also the default port for the Kippo honeypot though I doubt that many people are running honeypots. The next most popular port is 5000, which didn't follow the same pattern as the other ports to me (repeating/ symmetric numbers). And it was around the same time that I realized that Australia was the 2nd most popular country to run OpenSSH on a non-standard port. I decided to take a closer look at Australia, and it turns out that there are nearly the same amount of servers running OpenSSH on port 5000 as they are on the default port 22. About 68,000 devices are running on the default port, and 54,000 on port 5000. Since they're running on a non-standard port Shodan wasn't grabbing the SSH fingerprint or showing more detailed information in the banner, so I checked a few devices manually and they all had the same fingerprint:

5b:a2:5a:9a:91:28:60:9c:92:2b:9e:bb:7f:7c:2e:06

And I inadvertently stumbled across the same issue as a while ago: Duplicate SSH Keys Everywhere. This time it appears that the Australian ISP BigPond installs/ configures networking gear that not only runs OpenSSH on port 5000 (most likely for remote management) but also has the same SSH keys installed on all of them. The devices also happen to run an old version of OpenSSH that was released on September 4th 2007. There's no guarantee that running OpenSSH on the default port would've made them more security conscious, but their installation of ~54,000 devices is 25% of the total number of OpenSSH servers on the Internet running version 4.7 (sidenote: the most popular version of OpenSSH is 5.3).

The Minecraft user does mention simple things you can do to improve the security of your device: add a whitelist and change the default credentials. They're easy to do and make a big difference to prevent your device from becoming an easy target!

]]><![CDATA[Duplicate SSH Keys Everywhere]]>Back in December when I revamped the SSH banner and started collecting the fingerprint I noticed an odd behavior. It turns out that a few SSH keys are used a lot more than once. For example, the following SSH fingerprint can be found on more than 250,000 devices!

dc:
]]>https://blog.shodan.io/duplicate-ssh-keys-everywhere/fd2c0c2e-cc15-4af7-8d8a-92b4a07bc790Tue, 17 Feb 2015 20:15:22 GMTBack in December when I revamped the SSH banner and started collecting the fingerprint I noticed an odd behavior. It turns out that a few SSH keys are used a lot more than once. For example, the following SSH fingerprint can be found on more than 250,000 devices!

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0

And there are many more fingerprints that are also duplicated, which you can check out yourself using the following Python code:

import shodan

api = shodan.Shodan(YOUR_API_KEY)

# Get the top 1,000 duplicated SSH fingerprints
results = api.count('port:22', facets=[('ssh.fingerprint', 1000)])

for facet in results['facets']['ssh.fingerprint']:
    print '%s --> %s' % (facet['value'], facet['count'])

Going back to the fingerprint mentioned above, when you plug that into Shodan the picture becomes somewhat clearer:

It looks like all devices with the fingerprint are Dropbear SSH instances that have been deployed by Telefonica de Espana. It appears that some of their networking equipment comes setup with SSH by default, and the manufacturer decided to re-use the same operating system image across all devices.

The next duplicated fingerprint on the list comes in at around 200,000 devices, followed by another one used by 150,000 devices. By analyzing the facets it's easy to get a picture of systemic issues that plague both hardware manufacturers as well as ISPs/ hosting providers. I've uploaded a list of unique fingerprints and their counts to the following Gist location:

https://gist.github.com/achillean/07f7f1e6b0e6e113a33c

Feel free to download the CSV and start analyzing the duplicated fingerprints because there are a lot of them. I wouldn't be surprised if you'd uncover interesting security issues by analyzing why these things are misconfigured.

]]>