Hiding in Plain Sight

A common reaction I get when talking about devices exposed on the Internet is something like the following:

Specifically, the idea that running the service (in this case Minecraft) on a non-standard port is a good way to stay hidden. In security circles this is also known as the concept of security by obscurity, and it's considered a largely ineffective, deprecated idea. What's worse is that it might give you the owner of the server/ device a false sense of security. For example, lets take a look at people running OpenSSH on a non-standard port (i.e. "product:openssh -port:22"):

The top 10 non-standard ports for OpenSSH are:

  1. 2222
  2. 5000
  3. 23
  4. 9999
  5. 26
  6. 666
  7. 2323
  8. 5555
  9. 4444
  10. 10001

These numbers don't look that random to me... Right away you should realize that your random choice of non-standard port might not be so unique. Port 2222 is popular the same way that HTTP on port 8080 is popular, and it's also the default port for the Kippo honeypot though I doubt that many people are running honeypots. The next most popular port is 5000, which didn't follow the same pattern as the other ports to me (repeating/ symmetric numbers). And it was around the same time that I realized that Australia was the 2nd most popular country to run OpenSSH on a non-standard port. I decided to take a closer look at Australia, and it turns out that there are nearly the same amount of servers running OpenSSH on port 5000 as they are on the default port 22. About 68,000 devices are running on the default port, and 54,000 on port 5000. Since they're running on a non-standard port Shodan wasn't grabbing the SSH fingerprint or showing more detailed information in the banner, so I checked a few devices manually and they all had the same fingerprint:

5b:a2:5a:9a:91:28:60:9c:92:2b:9e:bb:7f:7c:2e:06

And I inadvertently stumbled across the same issue as a while ago: Duplicate SSH Keys Everywhere. This time it appears that the Australian ISP BigPond installs/ configures networking gear that not only runs OpenSSH on port 5000 (most likely for remote management) but also has the same SSH keys installed on all of them. The devices also happen to run an old version of OpenSSH that was released on September 4th 2007. There's no guarantee that running OpenSSH on the default port would've made them more security conscious, but their installation of ~54,000 devices is 25% of the total number of OpenSSH servers on the Internet running version 4.7 (sidenote: the most popular version of OpenSSH is 5.3).

The Minecraft user does mention simple things you can do to improve the security of your device: add a whitelist and change the default credentials. They're easy to do and make a big difference to prevent your device from becoming an easy target!