[eps]

It appears to be two-stage process.

There are open port scanners that just check what ports are open on which IPs, and there are separate ssh login brute-forcers. Once your machine gets picked up by the former, the latter will pile up.

I have two servers on adjacent IPs, both with ssh listening on a high port. One gets hammered with login attempts and the other does not.

[nonamesleft]

A lot of these seem to use zmap (https://github.com/zmap/zmap) or masscan (https://github.com/robertdavidgraham/masscan) for the initial scan.

Often with default parameters such as zmap setting ip id to 54321, having tcp initial window at 65535, having no SACK bit set and masscan with no SACK bit either, tcp initial window at 1024, tcp maximum segment size 1460 (which is strange to put below initial window size!), (older versions having fixed src port 61000 or 60000 from documentation examples and no MSS set), all of which are extremly uncommon in legitimate traffic and thus easily identified.

Even those so called "legitimate" scanners (emphasis on the "") seem to use these tools with little or no extra configuration.

With this setup the last time my high-port ssh (key-only) has got an attempt on it was 2023-07-26 (previous intruders get permanently firewalled).

[gradschool]

This might not matter for your setup, but I would have thought it's bad in general to have sshd listening on a high port because then any non-root user who finds a way to crash it can replace it with his own malicious ssh server on the same port.

[usr1106]

You mean non-root local user? We don't have non-trusted users on the system.

Well, unless the http server or our dns resolver has a remote code execution vulnerability.

So directly I don't see the risk you describe. Of course considering maximum defense in depth you might have point.

[20after4]

That's a good point, though you could use some firewall rules to rewrite the port number so that the local daemon is listening on the normal port but accessible via an alternate high numbered port.

[usr1106]

Maybe that's the case. The machines where I am seeing a lot of ssh login attempts on high ports have been on the same IPv4 address for years. Some since 2018.

[frankohn]

Interesting to know. For the moment, several months, I still have no login attempts but so that means my server didn't get picked up by any port scanner.