[korethr]

The situation with SMPTS and port 465 is a fun one. By my understanding, at present, implicit TLS for submission isn't standard. Now, a lot of mail server operators listen on port 465 for SMTPS anyway, because very breifly, that was the standard port for such. But there are other operators who are stickler for the letter of the standard, and when asked to support SMTPS on port 465, respond with "That's not standard. STARTTLS on 587 is. Use STARTTLS." I will confess to having been one of those operators in the past. Reflecting, I suspect that was at least partly because in insisting on strict standard compliance, I cut down on the amount of spam I had to deal with (you would be amazed at the sheer volume of poorly coded bots that imediately throw a LOGIN or MESSAGE FROM at you upon establishing a connection, not even bothering to forge a HELO or EHLO).

I totally support RFC 8314's attempt to standardize existing practice, and get port 465 officialy recognized. https://datatracker.ietf.org/doc/html/rfc8314 Once done, what is "standard" will no longer be an excuse. Though, updating out-of-support middleboxen will probably still take a while.

[soneil]

I was under the impression 8314 was a "done deal". IANA have listed 465 as submission over TLS since december 2017.

(The previous iteration was submission over SSL in the late 90s on the same port.)

[deathanatos]

Similarly, I have my personal SSH server configured to only accept "modern" crypto. A fair number of attacking clients fail to negotiate a cipher!

[cge]

I recently switched my SSH servers to only listen to IPv6. They're still on port 22, and still pointed to by DNS, yet, while they received bot connection attempts every few seconds when listening for IPv4, they haven't received a single bot connection attempt in the last week since I made the switch.

Bots apparently simply don't bother with IPv6.

[bombcar]

Enumeration of all IPv4 is easy. Enumeration of all DNS entries is hard to impossible. Enumeration of all IPv6 is impossible.

[throw0101a]

> Enumeration of all IPv6 is impossible.

Though do take note of RFC 7707, "Network Reconnaissance in IPv6 Networks":

   IPv6 offers a much larger address space than that of its IPv4
   counterpart.  An IPv6 subnet of size /64 can (in theory) accommodate
   approximately 1.844 * 10^19 hosts, thus resulting in a much lower
   host density (#hosts/#addresses) than is typical in IPv4 networks,
   where a site typically has 65,000 or fewer unique addresses.  As a
   result, it is widely assumed that it would take a tremendous effort
   to perform address-scanning attacks against IPv6 networks; therefore,
   IPv6 address-scanning attacks have been considered unfeasible.  This
   document formally obsoletes RFC 5157, which first discussed this
   assumption, by providing further analysis on how traditional address-
   scanning techniques apply to IPv6 networks and exploring some
   additional techniques that can be employed for IPv6 network
   reconnaissance.

* https://datatracker.ietf.org/doc/html/rfc7707

[bombcar]

If we move to ipv6 majorly I suspect reflex scanning will become more of a thing (see a connection from X, scan X).

[duskwuff]

IPv4 is trivial to enumerate. IPv6 is not.

Guess how most SSH-scanning bots find targets?

[singlow]

Probably saves them time. You are not a soft target. What incentive do they have to add support when it only gains them access to more hardened systems that most likely are not vulnerable to their next phase.