interesting article on ssh port numbersh

“Why putting ssh on another port than 22 is a bad idea”:

https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/

Lars

Some interesting thoughts but i wouldn’t buy his main argument (I’ve read it before). The last comment by 'Dicer; is important. Of course your sshd can be discovered (using nmap or the like) but it takes a little time. Time which is generally more profitably spent hunting down the next port 22 listener.

For the “annoying” -P problem of scp (and other progarms like rsync) which expect ssh on port 22, that’s what ~/.ssh/config is for :slight_smile: See http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/ for example.

Having said that its really important to know that shifting the port is one of a number of measures, not a solution in itself - the more important being disabling root access and password authentication.

Port knocking is clever … used to do this on SA gov periphery firewalls. Haven’t really bothered in recent times, but maybe something to consider in these turbulent times.

Meanwhile i continue to shift my ssh port and encourage others to do the same :slight_smile:

Cheers

Bob

···

On 28 September 2014 17:09, Lars Helge Øverland larshelge@gmail.com wrote:

“Why putting ssh on another port than 22 is a bad idea”:

Lars

https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Thanks Lars, for sharing the interesting article.

I also recommend that people use fail2ban. It is a simple tool that looks at logs to fend brute force

···

Regards,
Saptarshi PURKAYASTHA

On 28 September 2014 16:37, Bob Jolliffe bobjolliffe@gmail.com wrote:

Some interesting thoughts but i wouldn’t buy his main argument (I’ve read it before). The last comment by 'Dicer; is important. Of course your sshd can be discovered (using nmap or the like) but it takes a little time. Time which is generally more profitably spent hunting down the next port 22 listener.

For the “annoying” -P problem of scp (and other progarms like rsync) which expect ssh on port 22, that’s what ~/.ssh/config is for :slight_smile: See http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/ for example.

Having said that its really important to know that shifting the port is one of a number of measures, not a solution in itself - the more important being disabling root access and password authentication.

Port knocking is clever … used to do this on SA gov periphery firewalls. Haven’t really bothered in recent times, but maybe something to consider in these turbulent times.

Meanwhile i continue to shift my ssh port and encourage others to do the same :slight_smile:

Cheers

Bob


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

On 28 September 2014 17:09, Lars Helge Øverland larshelge@gmail.com wrote:

“Why putting ssh on another port than 22 is a bad idea”:

Lars

https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Yes agree some of the arguments are a bit silly.

I think in any case one should disable ssh password authentication. If
afraid of locking oneself out and not on a VPS with a console one can
selectively enable
<http://security.stackexchange.com/questions/18036/creating-user-specific-authentication-methods-in-ssh>
password login for users that you trust will use a long and secure
password. This sort of removes the ssh brute-force problem.