[CentOS-docs] Securing SSH --> Change ports

Manuel Wolfshant

wolfy at nobugconsulting.ro
Fri Oct 3 04:11:15 UTC 2014

On 10/03/2014 04:17 AM, Theodor Sigurjon Andresson wrote:
> Yes, when securing your services you*layer*  defenses that could include using STO. But when STO is set up in a wrong way it can lead to a security issue. It isn't good to protect your services to slow down or prevent an attack by opening up a security risk. As in this case changing the port of SSH to 2222 isn't a good way to include STO. It doesn't matter how big the risk is, you just don't want this issue to be there. If you want to include STO in your security measures then you have to do it without opening up a security risk because you might be opening up a security risk that could be dangerous. In my opinion that is the case with SSH to port 2222. Changing the port to an privileged unassigned or unused port is a better way to include STO in your security measures for SSH. That way you don't have the risk of another user listening on your SSH.
I agree with you on two things
- changing the default port is not a security measure, it just lowers 
the noise in the logs and takes you a bit out of the path of automated 
scripts looking for easy targets.
- changing the default port to anything above 1024 creates a greater 
risk than using one below 1024

On the other hand, even if it's easier to start a rouge daemon 
impersonating sshd to listen on a higher port, if you have a malevolent 
user already sniffing on a port - any port - from my point of view you 
already have bigger issues than the potential risk you mentioned.

Incidentally I am a fan of using iptables (recent match) to limit the 
number of admissible attempts from any given IP to connect to sshd ( 
yes, I know, it has nothing to do with the initial concern you raised )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20141003/03f5a957/attachment-0002.html>

More information about the CentOS-docs mailing list