It could be, but you can always reuse the mapping result for many subsequent attacks without losing that much accuracy. IP addresses will drift due to reassignments over time, but I can easily see a map remain usable for a week or a month. You could also just sell/buy it from someone else, which costs less.
That's from a single machine with 100kPPS. A single cloud machine will get you more, and you can rent a bunch of those.
And it's not like you need to scan all of the internet, limiting yourself to the address ranges of the big hosters will cut down the time again.
But really, the question is what are you defending against? What's your threat model? There's a published SSH 0-day you didn't patch yet? Ok, maybe that'll buy you a few hours of safety, but that's assuming nobody built a database of reachable ports in advance (think shodan) that they can then rely on to execute these kinds of exploits.
Do you see how the complexity of the attack increased though? Now the attacker has to buy multiple hosts to stage their attack from. Like anything in life, when things get hard, a percentage of people give up.
That's why I mentioned building a database, which essentially evaporates the cost for everyone except the one building the database. Unsalted password hashes are considered insecure due to rainbow tables.
And even if nobody built such a database, the cost still seems trivial compared to the effort it would take to compromise SSH in the first place. That is why I asked for a threat model. What are you defending against where everything is cheap except finding the host?
If your goal is to cut down on log spam, that's fine, but then just say so.
You’re defending against people who wrote scripts that only check the default port. Based on numbers that some others posted, that is actually quite a sizeable number, as they reported numbers of attempted connections on the default port to be orders of magnitude higher than other ports.
Scripts are not magic, they must be doing something. So what are you defending against? The last openssh preauth remote exploit from 2003? Weak passwords? Those are much better addressed by other measures.
> Scripts are not magic, they must be doing something
Not necessarily. Sometimes they just record potential targets for later manual probing. If the script doesn’t find what it’s looking for (in this example the default ssh port), your server is not recorded. That in itself is a win, even if it’s small.
> So what are you defending against?
It limits the number of people/processes trying to gain access to your server. Would you rather 10 people trying to get in, or 1?
> Those are much better addressed by other measures
Well, ya. Nobody is saying obscurity is the only security layer. You would need to secure it assuming the port is known. As an additional layer, only to (even slightly) reduce the number of potential threat actors, you change the port.
If you're monitoring your logs that does make sense. My issue are corporate policies that say "port 22 = bad" but don't monitor the logs either. I don't see what those are defending against.
I also disagree with the general statement of the blog post that changing the SSH port is like hiding your tanks. The discrepancy between armor and camouflage vs. cryptography and port numbers is many orders of magnitude. A better explanation than that is needed in my opinion.
> "or 655,360 hours if scanning all ports"
More than 70 years. Or a month with a fully loaded 8x10 gbit connection and a hardware to drive it and store results.