Shodan found Dropbear
-
Hi all,
After I have checked my IP address by Shodan, It has been found that port 2222 is open with the dropbear daemon.
It is very interesting to see because WAN is close. I do not use ssh, so ssh is disabled. Also, the Dropbear is not installed.Below are some pics from the test.
Shodan:
Sockstat:
Ssh:
Dropbear:
I also checked port 2222 from the outside. It was closed.
I found this post on the forum:
https://forum.netgate.com/topic/173161/dropbear-ssh-server
I think the guy had a similar problem but In any case, he didn't explain it.Can anyone have an explanation for me, how is this possible or What is going on?
I tried asking my ISP but They are still checking :).
Thanks for help. -
@WhoAmI68
Maybe someone had your IP before you got it?
Look at the date 2024-10-24 -
@MoonKnight No :), I have the IP address for half the year.
I use some Spamn DB list so it is block Shodan or Apollo etc. So in this situation, I do not understand How it was possible to do a scan from their side :).
Maybe ISP's router has been hacked?
ISP use of some port for remote service. In any case, there is still no explanation. -
Okay, Why not try to do a port check again from https://www.grc.com/x/ne.dll?bh0bkyd2
Just to make sure the port is closed.
Maybe day have been scanning you from a new IP? I'm sure they get some new servers and then do some more scan before other found out :)
-
@MoonKnight said in Shodan found Dropbear:
www.grc.com
As I said before, I have made scan from outside, it is closed, so the pfblocker take it. Anyway shodan logs that It doesn't just happen :).
-
@WhoAmI68 said in Shodan found Dropbear:
Can anyone have an explanation for me, how is this possible
It's not.
-
@WhoAmI68 said in Shodan found Dropbear:
Anyway shodan logs that It doesn't just happen :).
Did you maybe have a unifi ap open to the internet. Did/do you have a router in front of pfsense that might have had remote access enabled?
There was just some other thread that popped up that I saw about dropbear from a while ago - pfsense doesn't run dropbear - never has as far back as I can remember.. I don't even believe it did from before it was pfsense, back when it was m0n0wall..
And that version of dropbear while quite old today.. but for example my unifi APs ran that for longest time- don't get me started on why they haven't updated them in like forever, and when they actually did - it was still old, even when they deployed it.
Hallway-BZ.6.7.8# ssh -V Dropbear v2022.83 Hallway-BZ.6.7.8#the current version is 2024.86, why are unifi AP like 2 year old version? ;)
On a side note - I block all those known scanner things like shodan.. There is zero reason why they should put into a public DB the ports that are open.. So I block all those shitty scanners..
edit: good seems my blocks are working, search my pubic IP and got this
I have multiple ports open - but screw those guys they have no valid reason to list the ports I have open in a public DB.
-
@johnpoz said in Shodan found Dropbear:
So I block all those shitty scanners
Inbound or both traffic?
-
@Antibiotic why would anything on my network ever be talking to those IPs.. But they do send a lot of inbound traffic, which they don't need to see what ports I have open.
-
@johnpoz Ok, Inbound than)))
-
Same here :) I have been using UniFi for many years now, including switches and APs. I have never enabled UPnP & NAT-PMP on pfSense to prevent the automatic opening of ports from various devices that use UPnP :)
-
@johnpoz said in Shodan found Dropbear:
Did you maybe have a unifi ap open to the internet.
No, i didn't.
@johnpoz said in Shodan found Dropbear:
Did/do you have a router in front of pfsense that might have had remote access enabled?
Yes, ISP routers have remote access. However, they do not use port 2222.
@johnpoz said in Shodan found Dropbear:
On a side note - I block all those known scanner things like shodan.. There is zero reason why they should put into a public DB the ports that are open.. So I block all those shitty scanners..
I use Spamn DB list to block Shodan, Apollo etc. So In this situation, I do not understand how it was possible to scan.
-
@WhoAmI68 said in Shodan found Dropbear:
I use Spamn DB list to block Shodan
what? How is that going to block it?
-
@johnpoz Normally like ipset or pfblocker feeds list :).
-
@WhoAmI68 and why would you think the scanning IPs from shodan would be in a spam db?? Do you think they also send spam from these IPs?
-
@johnpoz At abuseipdb.com you can check it out.
