LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   How are servers found on the internet that have no name registration? (https://www.linuxquestions.org/questions/linux-networking-3/how-are-servers-found-on-the-internet-that-have-no-name-registration-4175735898/)

Motaro 04-11-2024 04:00 AM
How are servers found on the internet that have no name registration?
 
I don't know, if people have this problem. Recently I saw a video of a person talking about it in youtube, and I found myself related to it. It seems that when you set up a server on the internet you very rapidly you start getting ssh dictionary attacks, even though you have a dynamic ip assignment and no name registration. I've tried in the past to do a network lookup for my subnet internet provider to see if I can see other computers, but it seems that the network provider blocks those messages.

So I'm curious how are hostile users of the internet finding servers so fast?

If anyone can bring some light to this problem will be appreciated.

Regards

pan64 04-11-2024 04:14 AM
I guess that is just a more or less random try or scanning. Sometimes successful, sometimes not.

Turbocapitalist 04-11-2024 04:53 AM
Computing power has caught up with all that: It's quite affordable nowadays to fire up a pool of servers, AWS for example, and check each and ever port on every last IPv4 address in a matter of hours. The same can be said for the known IPv6 space (the ranges in actual use).

Here are two interesting links on that topic, one old, one new:

https://census2012.sourceforge.net/paper.html

https://www.shodan.io/


However, even before 'cloud' services hit the market, nefarious interests could pool compromised Windows servers and desktops for that task.

jayjwa 04-11-2024 12:30 PM
People use scanner tools that don't care about the name. They just scan entire netblocks for a port, say 22, then record that. This data is then passed on to another tool. nmap can do this. The ip6 address space is much quieter (at the moment).

wpeckham 04-11-2024 02:23 PM
COMCAST (Xfinity) does network scanning on their subnets, and some threat actors do as well. My average time between getting a new device on the network and seeing dictionary attack activity averages right about ten minutes. (Some days as little as a minute or two, some days nearly half an hour.)

Never assume that name services can make you safe, they only make identifying nodes by name more convenient for PEOPLE. The hardware doesn't care, the criminals do not care.

___ 04-12-2024 02:36 AM
Your PC probably has a private/non-routable/RFC1918 IP address, DHCP from ISP router. This might help:
https://security.stackexchange.com/q...et-through-nat

jefro 04-12-2024 03:12 PM
Put wireshark on the wan side and you will see a constant attack stream.

frankbell 04-12-2024 08:53 PM
I agree with the others. The most likely culprit is bad actors using random port scans.

If you have not done so, you may wish to install fail2ban.


All times are GMT -5. The time now is 09:53 AM.