Comments on: Security and Obscurity: Does Changing Your SSH Port Lower Your Risk?

By: Secure SSH connection: Use another port » CactusBanana.com

Secure SSH connection: Use another port » CactusBanana.com — Mon, 31 Oct 2011 23:49:37 +0000

[...] Security and Obscurity: Does Changing Your SSH Port Lower Your Risk? [...]

By: Bob

Bob — Sat, 19 Feb 2011 18:04:00 +0000

I agree that only good administrators should have access and the risk of a screw-up is low, but it is a risk - and that's what this is all about. Is the risk of an admin making a mistake (and even good ones do) higher than the risk of getting hit by an ssh 0-day and saved by a different port? In most cases I don't believe it is.

I would note that although changing the port should be an easy change, ssh is critical and a mistake made when configuring it can lead to a high security risk or leave you unable to fix a genuine security problem elsewhere. This is always the case but is surely an argument for reducing the time spent in sshd_config unnecessarily.

By: Justin DeMaris

Justin DeMaris — Sat, 19 Feb 2011 16:44:00 +0000

I have to say I was of the same mentality that the port changes were a stupid change that added complexity, but the point that really hit home for me was the zero-day one. We take for granted that SSH itself is secure. And if you want to buy yourself a bit of extra time from automated attacks when a zero-day gets exposed, running on a different port will most CERTAINLY buy you some time.

With regards to the added complexity part... any good administrator is inside the sshd_config file for any server deployment anyway, so changing the port number is very minimal risk. If you keep it consistent across your company, then anyone who has a legitimate reason to be using SSH anyway shouldn't have a problem with it after initial training. Anybody who is comfortable enough with SSH to be given server access should be fine at changing the port number to connect with. Anybody who isn't comfortable with that has no business having shell access to your server.

By: Bob

Bob — Sat, 19 Feb 2011 13:04:00 +0000

It really isn't that simple.

A better analogy would be to say we could install a magical camouflage on our tanks that reduced the chance of getting hit by 1% but actually made it break down 1% more as well. Should we do it? Well, we could, but in the end it doesn't make any difference.

So changing the ssh port reduces my exposure to automated ssh attacks. I already have adequate protection against these through other policies (which I would require anyway), they are very very low risk.

However, by doing this I have at least:

Made an additional configuration change. In other words, added complexity, no matter how minor. And we know about complexity and security.
Added to user and admin WTF factor. Oh, here's that complexity again.
Admin time taken away from dealing with real threats.
Changed to a less-tested code path through ssh. In this case a very very minor one, but once you start making this sort tweak they all add up.

These are maybe a bit of a stretch but so is the idea of a different port stopping some new ssh 0-day.

By: Daniel Miessler

Daniel Miessler — Sat, 19 Feb 2011 00:39:00 +0000

If your tank armor is good enough then getting owned by a bullet is small. So why use camo?

More importantly: Why not?

By: Arik

Arik — Sat, 19 Feb 2011 00:29:00 +0000

The problem is that you measure the risk by the number of hits on your port.

Perhaps the 3 hits on the non-standard port are more risky than all of the other hits combined?

-- Arik

By: Bob

Bob — Sat, 19 Feb 2011 00:29:00 +0000

I think that sometimes people spend far too much time faffing around creating novel solutions to minor risks rather than putting the effort into following good practice – which will mitigate the trivial stuff anyway – and saving their creativity for the real worries.

By: Bob

Bob — Sat, 19 Feb 2011 00:26:00 +0000

I don’t think this is really the case. If you follow good security practice then your risk of getting owned by an automated attempt is near zero even if a new OpenSSH vulnerability is found and – somehow – makes its way into automated scripts quickly enough for you to be hit without warning. These automated attempts are not a security risk for most people, at least I would hope not most people reading this. Moving port does precisely nothing to mitigate the genuine risk of a determined attacker except the thin argument that it reduces noise in logs, and there are other equally valid solutions there.

By: Russell VT

Russell VT — Fri, 18 Feb 2011 22:27:00 +0000

I think you discount the idea that many Internet-daemon compromises have nothing to do with successful authentication. And, as-is the case with past SSH vulnerabilities, buffer overflows can happen early-on in the protocol exchange, possibly leading to a root shell. Yeah, it’s only a stop-gap measure, but moving services like SSH to a port not normally seen/probed in a basic namp scan tends to at least keep the script kiddies away (and, as you say, keeps your logs MUCh cleaner).

By: Russell VT

Russell VT — Fri, 18 Feb 2011 22:20:00 +0000

You need to pick a “better” non-standard port … preferably something not already defined on the “common list of TCP ports.” You’ve experienced more probes on 24 in a weekend than I tend to see in a year or two. Simply adding some multiples of a hundred tends to get you off the list…

Ref: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Someone submitted you to Reddit, BTW:

http://www.reddit.com/r/netsec/comments/fnz1h/obscurity_does_changing_your_ssh_port_lower_your/

By: Pronto185

Pronto185 — Fri, 18 Feb 2011 20:29:00 +0000

I change my ssh port to 443, though for a completely different reason. My school blocks outbound 22 on wifi…

By: Bob Smith

Bob Smith — Fri, 18 Feb 2011 20:07:00 +0000

port 22, zero attempts. Iptables for the win.

By: James Cleveland

James Cleveland — Fri, 18 Feb 2011 17:21:00 +0000

Not really, they could try millions of times and fail if you have root password disabled and fail2ban set up.

By: Evan Kaufman

Evan Kaufman — Fri, 18 Feb 2011 17:21:00 +0000

I think it's much simpler in the long run to just set up (for example) fail2ban, and never have to worry about what port your ssh was on or whether some other service or app will support a custom ssh port. That's what I do for my VPS's and I have no complaints whatsoever. Still, it makes an interesting point that an obscurity layer on top of already sound security can usually only make a good thing better.

The only worry is that the security may fail and you may never notice because it's already obscured. This is most likely in a situation where a system is likely to switch maintainers at some point and the new maintainer may not know all the ins & outs.

By: Apreche

Apreche — Fri, 18 Feb 2011 17:13:00 +0000

I run SSH on a non-standard port sometimes, but I don’t have any delusions that it actually helps anything. All my SSH are key-auth only. Since every bot in the universe attempts to connect with password auth, they will never get in even if I’m on port 22. The reason I move the port is simply to make the log files cleaner, since they won’t be full of failed attempts.

By: WebDesignHero

WebDesignHero — Sun, 09 Jan 2011 18:06:00 +0000

From my own personal experience, I have no seen a difference in switching ports. I have to connect from hotels quite frequently. Obviously someone makes their living from hacking there, because when I get home I am still seeing attack on the port I selected for that week. If you just open the port, most automated attacks will use the default. If you are scanned and have banners, they will figure it out if they want. My guess is since they saw the traffic going to the particular receiver socket, they recorded it then performed their attack. In your experiment, how many connections were you making to port 24 from the public? Besides the minor annoyance of the attacker opening connections, and I had high hopes they were not going to crack my key and password.

By: Pat Niemeyer

Pat Niemeyer — Fri, 13 Feb 2009 23:32:20 +0000

It would be interesting if you try your experiment again but instead of having the two ports open simply move the port to 24. I am wondering how many scripts first try port 22 and then move on to try other ports. This is probably reducing your counts a bit.

By: Pat Niemeyer

Pat Niemeyer — Fri, 13 Feb 2009 18:32:20 +0000

By: Linux News

Linux News — Fri, 06 Feb 2009 16:08:24 +0000

A very interesting article and a very simple, yet effective suggestion. I wish more people would stop exposing themselves needelessly. As I rant, I realize that it'd be sweet if a linux distribution could randomize ports automatically for ssh during the install.
hm.

By: DAH

DAH — Sat, 13 Dec 2008 04:39:58 +0000

sftp respects ~/.ssh/config; you only have to put the non-standard port in that file, and ssh, sftp, etc will use it.

man ssh_config.