INFO: Accessible SSH Report

DESCRIPTION LAST UPDATED: 2025-04-25

DEFAULT SEVERITY LEVEL: INFO

Introduction

This report identifies hosts that have the Secure Shell (SSH) service running and accessible on the Internet.

This does not necessarily indicate that anything is wrong with the system, but if the SSH running on a system (or the version that is running) seems out of place, you may wish to investigate. By default therefore, we classify events reported as INFO (informational only).

However there are exceptions when we will classify individual events reported with a higher severity level, as explained below.

Detected issues

CVE-2025-32433

On 2025-04-25 we added version based detection of Erlang/OTP SSH server CVE-2025-32433 (CVSS 3.1 10.0). More details can be found at https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2. A public exploit is available. Detection is based on detection of SSH-2.0-ConfD in the banner (exact match). Severity is set to CRITICAL.

CVE-2024-6387 (“regreSSHion”)

On 2024-07-01 we have added version based detection of CVE-2024-6387. Read more on regreSSHion: RCE in OpenSSH’s server, on glibc-based Linux systems. Severity is set to CRITICAL. To determine whether an instance is vulnerable or not we use the following condition

The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function.

Please note there is no reliable method to account for backporting by various Linux distributions. These are scenarios where a distribution will display a potentially vulnerable version but have a patch in place that does not modify the version. False positives are thus possible.

We currently exclude:

SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.4,
SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5,
SSH-2.0-OpenSSH_9.3p1 Ubuntu-3ubuntu3.6,
SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3,
SSH-2.0-OpenSSH_9.3p1 Ubuntu-1ubuntu3.6,
SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3,
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1x

In addition, we exclude all OpenBSD instances if possible.

Make sure you update your OpenSSH server: https://www.openssh.com/txt/release-9.8

Password based authentication enabled

If we detect that that an SSH instance returns userauth_methods that includes password (which is not recommended due to daily brute force attacks conducted against exposed SSH endpoints) we set the severity level for that instance to MEDIUM.

CVE-2023-48795 (“Terrapin Attack”)

In addition, we also report instances vulnerable to CVE-2023-48795 (“Terrapin attack“). These are tagged cve-2023-48795 and severity is set to LOW as effective execution of attacks comes with complexity. The logic for tagging instances as vulnerable is based on the paper Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation and is implemented as follows (Perl code example):

if ( ( ( ( $server_key_exchange_s2c_mac =~ m/\-etm\@openssh\.com/ && $server_key_exchange_s2c_cipher =~ m/\-cbc/ ) || ( $server_key_exchange_s2c_cipher =~ m/chacha20\-poly1305\@openssh\.com/ ) ) && ( $server_key_exchange_kex !~ m/kex\-strict\-s\-v00\@openssh\.com/ ) ) ) { $tag .= "\;cve-2023-48795"; }

If you receive a report from us, you can verify the status of your SSH server with the Terrapin Scanner from Ruhr-Universität Bochum (authors of the paper).

Detected non-SSH issues

In some cases we will also add tags that are not related to the SSH service itself as such but are related to the IP in question. For example, for Fortra GoAnywhere MFT CVE-2024-0204 we are able to identify IPs that have not applied the patch based on the SSH version banner displayed. This does not mean the vulnerability is exploitable via the SSH service, only that it may be exploitable via the HTTP admin interface if it is exposed.

Dashboard and daily scan results

You can track accessible SSH hosts on our Dashboard.

Terrapin attack exposure can be tracked on the Dashboard here (select source ssh and/or ssh6, then tag cve-2023-48795).

Additional Information

For more information on SSH, see https://en.wikipedia.org/wiki/Secure_Shell.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

This report comes in 2 versions, IPv4 and IPv6.

Filenames: scan_ssh, scan6_ssh

Fields

timestamp

Time that the IP was probed in UTC+0
severity

Severity level
ip

The IP address of the device in question
protocol

Protocol that the SSH response came on (always TCP)
port

Port that the SSH response came from (22/TCP)
hostname

Reverse DNS name of the device in question
tag

This will always be ssh
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
naics

North American Industry Classification System Code
hostname_source

Hostname source
serverid_raw

Name that the SSH server responds with
serverid_version

Max Version of SSH that the server claims to support
serverid_software

Revision number of the server software
serverid_comment

Any other info that the server wishes to convey in its ID string
server_cookie

This is the xauth cookie (I believe)
available_kex

Available Key Exchange Methods
available_ciphers

Available encryption algorithms
available_mac

Available MAC algorithms
available_compression

Available compression algorithms
selected_kex

Selected Key Exchange Method
algorithm

Public Key Algorithm in use
selected_cipher

Selected encryption algorithm
selected_mac

Selected MAC algorithm
selected_compression

Selected compression algorithm
server_signature_value

Server Public Key Signature value
server_signature_raw

Server Public Key Signature raw data
server_host_key

Server Public Key
server_host_key_sha256

Server Public Key SHA256
rsa_prime

The RSA prime value (ssh-rsa only)
rsa_prime_length

RSA prime value length (1024,2048) (ssh-rsa only)
rsa_generator

RSA generator value (ssh-rsa only)
rsa_generator_length

Length of the RSA generator string (ssh-rsa only)
rsa_public_key

RSA public key (ssh-rsa only)
rsa_public_key_length

RSA public key length (ssh-rsa only)
rsa_exponent

RSA exponent used (ssh-rsa only)
rsa_modulus

RSA modulus selected (ssh-rsa only)
rsa_length

Length of the RSA key (1024,2048) (ssh-rsa only)
dss_prime

DSS prime value (ssh-dss only)
dss_prime_length

Length of DSS prime (ssh-dss only)
dss_generator

DSS generator value (ssh-dss only)
dss_generator_length

Length of DSS generator (ssh-dss only)
dss_public_key

DSS public key (ssh-dss only)
dss_public_key_length

Length of DSS public key (ssh-dss only)
dss_dsa_public_g

DSA public key component 'g' (ssh-dss only)
dss_dsa_public_p

DSA public key component 'p' (ssh-dss only)
dss_dsa_public_q

DSA public key component 'q' (ssh-dss only)
dss_dsa_public_y

DSA public key component 'y' (ssh-dss only)
ecdsa_curve25519

Curve25519 public key (ecdsa-* only)
ecdsa_curve

Curve in use (ecdsa-* only)
ecdsa_public_key_length

Public key length (ecdsa-* only)
ecdsa_public_key_b

ECDSA public key component 'b' (ecdsa-* only)
ecdsa_public_key_gx

ECDSA public key component 'gx' (ecdsa-* only)
ecdsa_public_key_gy

ECDSA public key component 'gy' (ecdsa-* only)
ecdsa_public_key_n

ECDSA public key component 'n' (ecdsa-* only)
ecdsa_public_key_p

ECDSA public key component 'p' (ecdsa-* only)
ecdsa_public_key_x

ECDSA public key component 'x' (ecdsa-* only)
ecdsa_public_key_y

ECDSA public key component 'y' (ecdsa-* only)
ed25519_curve25519

Curve25519 public key (ed25519 only)
ed25519_cert_public_key_nonce

Certkey public key nonce (ed25519 only)
ed25519_cert_public_key_bytes

Certkey public key (ed25519 only)
ed25519_cert_public_key_raw

Raw certkey public key (ed25519 only)
ed25519_cert_public_key_sha256

Certkey public key fingerprint (ed25519 only)
ed25519_cert_public_key_serial

Certkey public key serial number (ed25519 only)
ed25519_cert_public_key_type_id

Certificate type (ed25519 only)
ed25519_cert_public_key_type_name

Non-numerical Certificate type name (ed25519 only)
ed25519_cert_public_key_keyid

Certificate key ID (ed25519 only)
ed25519_cert_public_key_principles

Certificate valid principles (ed25519 only)
ed25519_cert_public_key_valid_after

Certificate start date (ed25519 only)
ed25519_cert_public_key_valid_before

Certificate end date (ed25519 only)
ed25519_cert_public_key_duration

How long the certificate is good for (ed25519 only)
ed25519_cert_public_key_sigkey_bytes

Server parsed public signature key (ed25519 only)
ed25519_cert_public_key_sigkey_raw

Raw public signature key (ed25519 only)
ed25519_cert_public_key_sigkey_sha256

Public signature key fingerprint (ed25519 only)
ed25519_cert_public_key_sigkey_value

Public signature key value (ed25519 only)
ed25519_cert_public_key_sig_raw

Raw public key signature (ed25519 only)
banner

SSH banner
userauth_methods

User authentication methods
device_vendor

The identified device vendor
device_type

Device classification (for example, router, firewall, nas, video-system etc)
device_model

The identified device model
device_version

The identified device version
device_sector

The identified device sector
sector

Sector the IP belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","serverid_raw","serverid_version","serverid_software","serverid_comment","server_cookie","available_kex","available_ciphers","available_mac","available_compression","selected_kex","algorithm","selected_cipher","selected_mac","selected_compression","server_signature_value","server_signature_raw","server_host_key","server_host_key_sha256","rsa_prime","rsa_prime_length","rsa_generator","rsa_generator_length","rsa_public_key","rsa_public_key_length","rsa_exponent","rsa_modulus","rsa_length","dss_prime","dss_prime_length","dss_generator","dss_generator_length","dss_public_key","dss_public_key_length","dss_dsa_public_g","dss_dsa_public_p","dss_dsa_public_q","dss_dsa_public_y","ecdsa_curve25519","ecdsa_curve","ecdsa_public_key_length","ecdsa_public_key_b","ecdsa_public_key_gx","ecdsa_public_key_gy","ecdsa_public_key_n","ecdsa_public_key_p","ecdsa_public_key_x","ecdsa_public_key_y","ed25519_curve25519","ed25519_cert_public_key_nonce","ed25519_cert_public_key_bytes","ed25519_cert_public_key_raw","ed25519_cert_public_key_sha256","ed25519_cert_public_key_serial","ed25519_cert_public_key_type_id","ed25519_cert_public_key_type_name","ed25519_cert_public_key_keyid","ed25519_cert_public_key_principles","ed25519_cert_public_key_valid_after","ed25519_cert_public_key_valid_before","ed25519_cert_public_key_duration","ed25519_cert_public_key_sigkey_bytes","ed25519_cert_public_key_sigkey_raw","ed25519_cert_public_key_sigkey_sha256","ed25519_cert_public_key_sigkey_value","ed25519_cert_public_key_sig_raw","banner","userauth_methods","device_vendor","device_type","device_model","device_version","device_sector","sector"
"2010-02-10 00:00:00",medium,192.168.0.1,tcp,212,node01.example.com,ssh,64512,ZZ,Region,City,0,ptr,"SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.1",2.0,OpenSSH_4.2p1,Debian-7ubuntu3.1,2By8xkanQnthtg+MLzl0hg==,"curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha1","aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, blowfish-cbc, 3des-cbc","hmac-sha2-512, hmac-sha2-384, hmac-sha2-256, hmac-sha1, hmac-md5","none, zlib",curve25519-sha256@libssh.org,ssh-rsa,aes128-ctr,hmac-sha2-256,none,SxIOSXraCZZC6CoN/XA11PbzCa0y5ZkPlC07cpRs/z1AnzrughFd44u6zlOP22gy1s3k+1AlckkPyyh2Zj7FXV9R6UT2u0S11nBsqFLX/4yaohA+XZtKdyP8+wiFA4pORYH6XBqOcyIyxavUOQkPbPVwRCFqabu5TbOW368osRs=,AAAAB3NzaC1yc2EAAACASxIOSXraCZZC6CoN/XA11PbzCa0y5ZkPlC07cpRs/z1AnzrughFd44u6zlOP22gy1s3k+1AlckkPyyh2Zj7FXV9R6UT2u0S11nBsqFLX/4yaohA+XZtKdyP8+wiFA4pORYH6XBqOcyIyxavUOQkPbPVwRCFqabu5TbOW368osRs=,AAAAB3NzaC1yc2EAAAADAQABAAAAgQDHk39MkaTnBudmTH2oS+SqmjXl4zyG5V54vJ8B1ZVS4LajBdpeJKo6a/PPYKnMWZCmFHChzCVZJCzG77dUuMb60KW0ZnWi2pGbdhdEtq9b6woe6bHOv6eaetvAX+fnUfNK2UdzlHrIbOs85is/KqdyRdBHxxe/J+8HqhUZHEf8sQ==,fa94d12931d792ae7706e235a091a16ea60c871e51e468ddb4aaea6d35fb931c,,,,,,,65537,x5N/TJGk5wbnZkx9qEvkqpo15eM8huVeeLyfAdWVUuC2owXaXiSqOmvzz2CpzFmQphRwocwlWSQsxu+3VLjG+tCltGZ1otqRm3YXRLavW+sKHumxzr+nmnrbwF/n51HzStlHc5R6yGzrPOYrPyqnckXQR8cXvyfvB6oVGRxH/LE=,1024,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"password, publickey",,,,,,"Retail Trade"
"2010-02-10 00:00:01",medium,192.168.0.2,tcp,212,node02.example.com,ssh,64512,ZZ,Region,City,0,ptr,SSH-2.0-ROSSSH,2.0,ROSSSH,,T91ZeS5+L8molJ250w0Rpg==,"diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1","aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc, blowfish-cbc, 3des-cbc, none","hmac-sha1, hmac-md5",none,diffie-hellman-group14-sha1,ssh-rsa,aes128-ctr,hmac-sha1,none,na5I7tRmybZaipIs4dTX5kYX0UTldosksxAsEQMs2mYCuzTn/Q7+vmkJtlS72Rfq6mH5VMrrWgamwL+s+3e89rhoKG4HXHRjHP4X3IcFvprRR7rmApVHgrtEHCEGvGy97rgT2HYer5ETv/68qi7qdi3ayhRQU+dWz1+mnD4ZnDKoHUcKHYBuufeOK9T05YwY2yQ2kYPEVCDyu0221+IGPcCthFFjjzKvaldE+1akW3fHRKdfm4hzrnAn8Qa7IqhzZS/jgHhQS0Tzh0c+FC4sbch+zf9T6Z+Z37NkSGSH7cetdUpRLLc7Wmz3KiwrIM3gFg2hzb4Gs1mvRO87OjxLUQ==,AAAAB3NzaC1yc2EAAAEAna5I7tRmybZaipIs4dTX5kYX0UTldosksxAsEQMs2mYCuzTn/Q7+vmkJtlS72Rfq6mH5VMrrWgamwL+s+3e89rhoKG4HXHRjHP4X3IcFvprRR7rmApVHgrtEHCEGvGy97rgT2HYer5ETv/68qi7qdi3ayhRQU+dWz1+mnD4ZnDKoHUcKHYBuufeOK9T05YwY2yQ2kYPEVCDyu0221+IGPcCthFFjjzKvaldE+1akW3fHRKdfm4hzrnAn8Qa7IqhzZS/jgHhQS0Tzh0c+FC4sbch+zf9T6Z+Z37NkSGSH7cetdUpRLLc7Wmz3KiwrIM3gFg2hzb4Gs1mvRO87OjxLUQ==,AAAAB3NzaC1yc2EAAAABAwAAAQEAw6JfNWITy9MnZRtWCINKvUuGqLpxU6h1hd9J+h+M2DJ0/Nsa96KMQ67GYoK08OuXtb03CpjBwSBY2wPaal1SRQGqILeE9nJgU9xUbkiOuO0GnTKEz5VNIio1KSEMqkbBrhIEwDmJKNZcpRLQPGn9m1O+8n276evt6Qpry/m8eAyl8Gauve6bbEi6GJLc+XpxL6PDLicc1Hf52RUeuKe/LRFGsvcrcYXxa3ZuWdP5cO0FbnLLykTb6pnkioe1SlGO61KYiM9pkGJquKMXX0zVorA4KqFTeGprVvfzs7CRDH097suJB5B7cX+MUYquLD7UR4qNv/8SSa+4vrfmUScp+Q==,0c13e0d364444dd1c5afe47ea4852c284e7b6715133f75b29b641660b76c4711,,,,,,,3,w6JfNWITy9MnZRtWCINKvUuGqLpxU6h1hd9J+h+M2DJ0/Nsa96KMQ67GYoK08OuXtb03CpjBwSBY2wPaal1SRQGqILeE9nJgU9xUbkiOuO0GnTKEz5VNIio1KSEMqkbBrhIEwDmJKNZcpRLQPGn9m1O+8n276evt6Qpry/m8eAyl8Gauve6bbEi6GJLc+XpxL6PDLicc1Hf52RUeuKe/LRFGsvcrcYXxa3ZuWdP5cO0FbnLLykTb6pnkioe1SlGO61KYiM9pkGJquKMXX0zVorA4KqFTeGprVvfzs7CRDH097suJB5B7cX+MUYquLD7UR4qNv/8SSa+4vrfmUScp+Q==,2048,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"publickey, password",,,,,,
"2010-02-10 00:00:02",medium,192.168.0.3,tcp,212,node03.example.com,ssh,64512,ZZ,Region,City,0,ptr,"SSH-2.0-9.99 FlowSsh: Bitvise SSH Server (WinSSHD)",2.0,9.99,"FlowSsh: Bitvise SSH Server (WinSSHD)",IKa0aYLUivx5SBZdJvzi/A==,"curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha1","aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, blowfish-cbc, 3des-cbc","hmac-sha2-512, hmac-sha2-384, hmac-sha2-256, hmac-sha1, hmac-md5","none, zlib",curve25519-sha256@libssh.org,ssh-rsa,aes128-ctr,hmac-sha2-256,none,lz0gbbKFeJANA3VplKU7d+2CShs4nrhWN4nsbibj3eabKPDLjM1cHzFa+G3iY9x+ZavYLAg3Hn7z4ftqWFMcJGpkmmUXB8uC4oJ2S6mHI7Bo2NOsKtkwL0j0EzeOTdAUWwiGuNiqnbtv2hexlaIWnEzV7QBxIsy4nduzVu1QUCY=,AAAAB3NzaC1yc2EAAACAlz0gbbKFeJANA3VplKU7d+2CShs4nrhWN4nsbibj3eabKPDLjM1cHzFa+G3iY9x+ZavYLAg3Hn7z4ftqWFMcJGpkmmUXB8uC4oJ2S6mHI7Bo2NOsKtkwL0j0EzeOTdAUWwiGuNiqnbtv2hexlaIWnEzV7QBxIsy4nduzVu1QUCY=,AAAAB3NzaC1yc2EAAAADAQABAAAAgQC9ZBsOJAqKJq86Vm9IGs17DBYWsPY2EAPeySuI1v4Jhmw6RrFZAfajETHem8oX9VV0A/zVUc4BujVHg4TFFwk1i4l5MFKH/bJGseU38/HNlPMnWWfiZzRaMGRt9PIOGoa9CfdLPLFrr+ZAh3+qOS8W8BDwhDAH5W3ZBP+HP1EsvQ==,ac97625b6fdc1d2c0f8fe6c3e575cc59b79526180370dd4e4073733e237eb952,,,,,,,65537,vWQbDiQKiiavOlZvSBrNewwWFrD2NhAD3skriNb+CYZsOkaxWQH2oxEx3pvKF/VVdAP81VHOAbo1R4OExRcJNYuJeTBSh/2yRrHlN/PxzZTzJ1ln4mc0WjBkbfTyDhqGvQn3Szyxa6/mQId/qjkvFvAQ8IQwB+Vt2QT/hz9RLL0=,1024,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"password, publickey",,,,,,"Retail Trade"

Our 135 Report Types

« Back to Network Reporting