Hacker News new | past | comments | ask | show | jobs | submit login

Moving ssh port is, IMNSHO, a stopgap measure; you should have exhausted all the other options (e.g. no passwords, no root login, denyhosts/fail2ban etc.) before this even crosses your mind.

In other words, the inconvenience this brings is not adequate to the infinitesimal increase in security.




For me I just don't like seeing /var/log/auth.log being filled with 100s of lines of:

  Failed password for root2 from 82.192.86.44 port 44990 ssh2
  Failed password for admin from 82.192.86.44 port 44990 ssh2
  Failed password for sysdb from 82.192.86.44 port 44990 ssh2
  Failed password for scott from 82.192.86.44 port 44990 ssh2
(Yes, that IP has scanned my machine before)


And that's exactly what denyhosts is for. You'll see this line a few initial times, then the banhammer springs into action.

(It's fully configurable - the number of failed attempts, the length of the autoban, etc.)


Unfortunately one attempt is enough when there's a pre-auth vulnerability. Your ban-hammer doesn't help you there.


until one of the millions of other compromised IPs begins hammering your machine minutes later..


That's the whole point. The ban-hammer in this case is automatic and will ban that one too after five attempts or whatever.


You're missing the point. One attempt is enough when there's a pre-auth exploit.


it still doesn't prevent your logs getting filled up with crap is my point.


Preventing logs from filling up is quite a cosmetic issue. Making the box hard to crack is certainly more relevant.

Note that I'm not advocating against a port change; just saying that it's the very last of available options, as it's essentialy security-by-obscurity, and thus only gives you a feeling of higher security (due to less spam in the logs).


Making security logs usable can (note the word) be a very important part of a security setup. Lots of people don't have the bandwidth to pay attention to noisy log files to look for anomalies.


There is also ssh-faker: http://www.pkts.ca/ssh-faker.shtml

Which would prevent even that first password failure attempt from occurring.


Sending a password over telnet seems like a bad idea..


True, but still, moving the port away from the default is always a good and effortless thing to do. Or at least making people aware of it.


Good...perhaps, iff you're aware that this is a cosmetic issue (less spam in the logs), rather than actual security (and that ports 222, 2222 and 22222 get just as much spam as 22).

Effortless...except you need to configure every client to use the non-default port. How much effort is that? IDK, depends on your use case.

That said, I consider it harmless; which is to say, the benefits and drawbacks are just about equal, IMNSHO.


> Effortless...except you need to configure every client to use the non-default port

I've never seen this as extra effort given I'm already in the ~/.ssh/config file adding an "IdentityFile" line anyway? The only time you wouldn't is if you are using the same (default) private key for every configured connection. I will faithfully assume that no-one is advocating for that :)


In other words, the inconvenience this brings is not adequate to the infinitesimal increase in security.

You are wrong. Please refrain from giving security advice.

Changing or filtering the SSH port prevents your host from being compromised by automated netrange sweeps in the event of a pre-auth ssh vulnerability. For this reason changing the SSH port is considered best practice.


Since port numbers are a very tiny space, that would amount to an infinitesimal increase in security, right? Essentially, 'hiding' the port is 'security through obscurity' which is a thoroughly discredited idea.


This is assuming that someone is specifically targeting your machine. In which case yes, changing the port number probably won't do much. But if someone is just hammering random servers on port 22, changing the port number is much more likely to be effective.


You misunderstand.

Changing the port does nothing against targeted attacks and it's not about 'hiding' anything. The purpose is to take your host out of the scope of automatic scans which almost exclusively focus on the most common ports (22, 2222, 22222 ...).


Okay, a pre-auth vulnerability is a plausible option I didn't consider; you are right.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: