Security and Obscurity: Does Changing Your SSH Port Lower Your Risk?

predator

My opinion on security and obscurity is that obscurity can in fact help improve an already sound security posture. That’s keeping in mind that it should never become security by obscurity — which is definitely bad.

Anyway, I’ve debated this issue for years with many people, and I remain convinced that my position on the matter is correct. But tonight I decided to do some very coarse testing of the idea using the SSH daemon.

I decided to configure my SSH daemon to listen on port 24 in addition to its regular port of 22 so I could see the difference in attempts to guess credentials on each. My expected result is far fewer attempts to access SSH on port 24 than port 22, which I equate to less risk to my, or any, SSH daemon.

It’s quite simple to set this up; you just put two port lines in your config instead of one, and then restart your daemon:

Port 22
Port 24

Then I added logging to a couple of my firewall rules:

-j LOG --log-level 7 --log-prefix "Logged port 22: "
-j LOG --log-level 7 --log-prefix "Logged port 24: "

(log rules go before their associated DROP, REJECT and ACCEPT rules, btw)

…and I’ve let that run for over 8 hours…on an unremarkable Saturday.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

The Results

Well, it’s definitely true that very few people look for SSH on port 24. In the time that I gathered 7,025 connection attempts to my SSH daemon on port 22 I received 3 on port 24.

Three.

[UPDATE: The stats over the weekend were over 18,000 connections to port 22, and five (5) to port 24.]

That’s fine, but the real question is this: would it reduce my risk of being compromised remotely through my SSH daemon if I were to change the daemon’s port to 24? I think the answer is yes.

Let’s assume that there’s a new zero day out for OpenSSH that is just owning boxes with impunity. Is anyone willing to argue that someone unleashing such an attack would waste significant effort going for non-standard ports? Or are they more likely to stick with the default port where they’re guaranteed to find more daemons?

I think we do gain security by moving commonly-attacked listeners to non-standard ports. And yes, that extra security does come from obscurity. Remember, even tanks are painted with camouflage. ::

Related posts: