Security and Obscurity: Does Changing Your SSH Port Lower Your Risk?

By Daniel Miessler on March 16th, 2008: Tagged as Information Security | Sysadmin

[Come see additional debate on this topic over at DSLR Security]

My opinion on security and obscurity is that obscurity can in fact help improve an already sound security posture. That’s keeping in mind that it should never become security by obscurity — which is definitely bad.

Anyway, I’ve debated this issue for years with many people, and I remain convinced that my position on the matter is correct. But tonight I decided to do some very coarse testing of the idea using the SSH daemon.

I decided to configure my SSH daemon to listen on port 24 in addition to its regular port of 22 so I could see the difference in attempts to guess credentials on each. My expected result is far fewer attempts to access SSH on port 24 than port 22, which I equate to less risk to my, or any, SSH daemon.

It’s quite simple to set this up; you just put two port lines in your config instead of one, and then restart your daemon:

[bash]Port 22 Port 24 [/bash]

Then I added logging to a couple of my firewall rules:

[bash]-j LOG –log-level 7 –log-prefix "Logged port 22: " -j LOG –log-level 7 –log-prefix "Logged port 24: "[/bash]

(log rules go before their associated DROP, REJECT and ACCEPT rules, btw)

…and I’ve let that run for over 8 hours…on an unremarkable Saturday.

The Results

Well, it’s definitely true that very few people look for SSH on port 24. In the time that I gathered 7,025 connection attempts to my SSH daemon on port 22 I received 3 on port 24.

Three.

[UPDATE: The stats over the weekend are now over 18,000 connections to port 22, and five (5) to port 24.]

That’s fine, but the real question is this: would it reduce my risk of being compromised remotely through my SSH daemon if I were to change the daemon’s port to 24? I think the answer is yes.

Let’s assume that there’s a new zero day out for OpenSSH that is just owning boxes with impunity. Is anyone willing to argue that someone unleashing such an attack would waste significant effort going for non-standard ports? Or are they more likely to stick with the default port where they’re guaranteed to find more daemons?

I think we do gain security by moving commonly-attacked listeners to non-standard ports. And yes, that extra security does come from obscurity. Remember, even tanks are painted with camouflage.:

  • Adrian Bool

    I agree wholeheartedly; it’s just another level of protection as part of defence in depth – although I’d use port 48351, or similar, rather than port 24!

    This action would only be security through obscurity if you had no password or private key on the accounts – the non-standard port was your only protection. I’m sure that that is not the case!

    A further protection is, on your firewall, to only permit connections with a source port less than 1024, then use the ‘UsePrivilegedPort yes’ in your ~/.ssh/config file to tell ssh to use source ports < 1024. My quick checks with nmap showed that nmap used source ports over 1024 – so even a hit on the right destination port would not result in an ‘open’.

    Were you monitoring the traffic to your ssh ports, if yes, were most of the source ports < 1024??

  • http://www.seanmcollins.com Sean

    The problem with changing ports that services listen on is the loss of trust. Services that listen on ports lower than 1024 are considered “trusted” because they require root privileges. So if SSH is enabled on a very high port, I’d be worried about my personal security when I connect to that system.

    Also, using service detection with tools like NMAP will quickly remove negate any extra security that is provided by running on non-standard ports.

    The only upside to running on non-standard ports is that automated attacks won’t occur, but honestly a good firewall ruleset or a something like deny_hosts really solves the problem while retaining the “trust” factor.

  • http://anthonyvance.com/security/disable_ssh_passwords Disable SSH Password Authentication with OS X 10.5 Leopard « Anthony Vance

    [...] of ssh brute force password attempts, I’ve changed the default port for SSH. This also reduces the risk of an SSH zero-day [...]

  • Samir

    plz can you tell me how to change the port of the ssh on fedora 8 because ive 2 servers on the same router when so i cant login to one of them because the servers ssh have the same port plz help me , thx

  • http://www.blahedo.org/blog blahedo

    What you’re advocating here is not so much security improvement through obscurity, but security improvement through irregularity. You could proclaim from the mountaintops that you serve ssh on port 24—in fact, you just did—and it would still have improved your security. Heck, you could respond to attempts on 22 with a message redirecting them two ports higher, and it would improve your security, because it would still filter out all the wardialer-style scripts. It wouldn’t work if everyone did the same thing, but by decreasing regularity, you make it much harder for the scripts to account for your case. None of these stop someone determined to get into your system in particular, of course, but that’s why you’re not relying on them.

  • http://dmiessler.com/blog/2-ssh-brute-force-countermeastures 2 SSH Brute-Force Countermeastures | dmiessler.com

    [...] you can see from this crude experiment I did back in March, moving your port does in fact make a difference, and if you combine this avoidance measure with [...]

  • http://clichereality.blogspot.com/ Mike

    I just run SSH on a non-standard port >1024 to keep down the size of my log files.

  • http://www.acooke.org andrew cooke

    i used to do this, but switched to using knockd instead.

    one reason i switched is that it wasn’t always easy to persuade other software to use the new port. even sftp requires quite an ugly syntax to pass the parameter down to the ssh layer.

    the other reason was that my isp started “traffic shaping”. that means that data transfer using non-standard ports had limited bandwidth.

    neither of those is a very powerful argument (and i’ve since changed providers – from vtr to telefonica chile – to avoid the traffic shaping) and knockd is itself a bit frustrating to use if you don’t have the client handy (you can trigger it using telnet, but it’s hit and miss).

    even so, you might consider it… http://www.portknocking.org/

    ps also, of course, it can protect other protocols too.

  • Drew

    I do this too. A while back I got really annoyed by the number of brute force attempts on my servers.

    I have a HIDS system in place which alerts me to brute force attacks. On port 22 I would get at least 10 messages that it had blocked a brute force attack every day. I thought about disabling that rule, but then I realized that what I wanted to do was block out the annoying scripts, not the deliberate attacks on my systems. So I moved the SSH port to 831 (just made the number up). Now I don’t get the attack messages unless someone scans my system to look at open ports and attack the services on them, something which indicates a much more dedicated attack which I might actually be worried about. I think I’ve gotten all of one ssh brute force alert across 10 servers.

    To mitigate the inconvenience I just put the ports in my .ssh/config file along with shorthands, such as:

    Host s1 HostName server1 Port 831

    Really quite elegant.

  • http://Monkeystealsthepeach.com/ Sol Invictus

    This is a really, really good idea. Security through obscurity is not a replacement for other standard industry-best security practices, but it is a very helpful part.

    The bottom line is it consumes server resources to deal with bogus connections. Even if you have an effective rejection system in place, a non-standard port reduces the amount of traffic you have to deal with.

  • simon at simon period vc

    I switched mine back to port 22 for 24 hours and (using a specially compiled version of SSH) recorded what usernames/passwords the bot is trying.

    If anyone wants the list email me.

  • http://dmiessler.com/ Daniel Miessler

    Very interesting, Simon.

  • http://dmiessler.com/ Daniel Miessler

    Just add another port to the Port line in your sshd conf file.

  • http://mooism.livejournal.com DAH

    sftp respects ~/.ssh/config; you only have to put the non-standard port in that file, and ssh, sftp, etc will use it.

    man ssh_config.

  • http://mooism.livejournal.com DAH

    sftp respects ~/.ssh/config; you only have to put the non-standard port in that file, and ssh, sftp, etc will use it.

    man ssh_config.

  • http://linuxcritic.com Linux News

    A very interesting article and a very simple, yet effective suggestion. I wish more people would stop exposing themselves needelessly. As I rant, I realize that it'd be sweet if a linux distribution could randomize ports automatically for ssh during the install.
    hm.

  • Pat Niemeyer

    It would be interesting if you try your experiment again but instead of having the two ports open simply move the port to 24. I am wondering how many scripts first try port 22 and then move on to try other ports. This is probably reducing your counts a bit.

  • Pat Niemeyer

    It would be interesting if you try your experiment again but instead of having the two ports open simply move the port to 24. I am wondering how many scripts first try port 22 and then move on to try other ports. This is probably reducing your counts a bit.

blog comments powered by Disqus

Original Content


Trending

Popular

Information Security / Technology

Politics

Philosophy & Religion

Technology & Science

Culture & Society

Miscellaneous


Discovered Content

Top Blog Categories