[CentOS-docs] Securing SSH --> Change ports

Thu Oct 2 23:47:56 UTC 2014
Theodor Sigurjon Andresson <TheodorSiAn at kvenno.is>

To change it to unassigned privileged port would be a much better idea if the user insists on changing it. I personally don't like the idea of security through obscurity at all. 
However if I remember correctly there are some programs that depend on SSH to be run on port 22. Usually easily changed but sometimes it can't be. I might be wrong though. 

________________________________________
From: centos-docs-bounces at centos.org [centos-docs-bounces at centos.org] on behalf of Karsten Wade [kwade at redhat.com]
Sent: Thursday, October 02, 2014 22:49
To: centos-docs at centos.org
Subject: Re: [CentOS-docs] Securing SSH --> Change ports

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/02/2014 03:45 PM, Theodor Sigurjon Andresson wrote:
> In there you are almost telling people that security through
> obscurity is a good way. That might sometimes be true but in this
> case it could mean that you would be handing passwords and other
> data out.
>
> When you start SSH on port 22 it is done with root privileges
> because the root user is the only one that can use ports below
> 1024. Root is the only user that can listen to that port or do
> something with it. If you move the port to 2222 for example you
> move SSH to a port that can be used with out a privileged user.
> This would mean I could write a script that listens to port 2222
> and mimics SSH to capture the passwords. Changing the port of SSH
> to 2222 or anything above 1024 makes SSH less secure. Pretty ironic
> that this is in the "Securing SSH" chapter.  This should never be
> done.
>
> Location:
> http://wiki.centos.org/HowTos/Network/SecuringSSH#head-3579222198adaf43a3ecbdc438ebce74da40d8ec
>
>
username: TheodorAndresson
>
> _______________________________________________ CentOS-docs mailing
> list CentOS-docs at centos.org
> http://lists.centos.org/mailman/listinfo/centos-docs
>

What do you think about using a privileged but unassigned port such as
101?

- - Karsten
- --
Karsten 'quaid' Wade        .^\          CentOS Doer of Stuff
http://TheOpenSourceWay.org    \  http://community.redhat.com
@quaid (identi.ca/twitter/IRC)  \v'             gpg: AD0E0C41
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQt1pcACgkQ2ZIOBq0ODEEpMACeMdWaOLnXlwJNzKKGjhGopviq
TVkAoJXSaHTe/7PmdAEhzzmSjkzL02es
=y+y6
-----END PGP SIGNATURE-----
_______________________________________________
CentOS-docs mailing list
CentOS-docs at centos.org
http://lists.centos.org/mailman/listinfo/centos-docs