[CentOS-docs] Securing SSH --> Change ports

Fri Oct 3 05:45:58 UTC 2014
Karsten Wade <kwade at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/02/2014 04:47 PM, Theodor Sigurjon Andresson wrote:
> To change it to unassigned privileged port would be a much better 
> idea if the user insists on changing it. I personally don't like
> the idea of security through obscurity at all. However if I
> remember correctly there are some programs that depend on SSH to be
> run on port 22. Usually easily changed but sometimes it can't be. I
> might be wrong though.

When I've changed ports, it's always been to a privileged port mainly
for the reasons you identify as risks. I usually do it to quite
logwatch complaining at all the false login attempts on port 22. I
know there are probably better ways to deal with that, but when it
comes to machines that are designed to be shelled in to from various
IP addresses, it's harder to design a firewall or hosts.deny that has
a low enough barrier.

- - Karsten

> ________________________________________ From: 
> centos-docs-bounces at centos.org [centos-docs-bounces at centos.org] on 
> behalf of Karsten Wade [kwade at redhat.com] Sent: Thursday, October
> 02, 2014 22:49 To: centos-docs at centos.org Subject: Re:
> [CentOS-docs] Securing SSH --> Change ports
> 
> On 10/02/2014 03:45 PM, Theodor Sigurjon Andresson wrote:
>> In there you are almost telling people that security through 
>> obscurity is a good way. That might sometimes be true but in this
>>  case it could mean that you would be handing passwords and other
>>  data out.
> 
>> When you start SSH on port 22 it is done with root privileges 
>> because the root user is the only one that can use ports below 
>> 1024. Root is the only user that can listen to that port or do 
>> something with it. If you move the port to 2222 for example you 
>> move SSH to a port that can be used with out a privileged user. 
>> This would mean I could write a script that listens to port 2222
>>  and mimics SSH to capture the passwords. Changing the port of
>> SSH to 2222 or anything above 1024 makes SSH less secure. Pretty 
>> ironic that this is in the "Securing SSH" chapter.  This should 
>> never be done.
> 
>> Location: 
>> http://wiki.centos.org/HowTos/Network/SecuringSSH#head-3579222198adaf43a3ecbdc438ebce74da40d8ec
>
>>
>> 
> 
> username: TheodorAndresson
> 
>> _______________________________________________ CentOS-docs 
>> mailing list CentOS-docs at centos.org 
>> http://lists.centos.org/mailman/listinfo/centos-docs
> 
> 
> What do you think about using a privileged but unassigned port
> such as 101?
> 
> - Karsten _______________________________________________
> CentOS-docs mailing list CentOS-docs at centos.org 
> http://lists.centos.org/mailman/listinfo/centos-docs 
> _______________________________________________ CentOS-docs
> mailing list CentOS-docs at centos.org 
> http://lists.centos.org/mailman/listinfo/centos-docs
> 

- -- 
Karsten 'quaid' Wade        .^\          CentOS Doer of Stuff
http://TheOpenSourceWay.org    \  http://community.redhat.com
@quaid (identi.ca/twitter/IRC)  \v'             gpg: AD0E0C41
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQuOBYACgkQ2ZIOBq0ODEFsYACgpjpMPRU1zEo49A+eQ5/3kwvG
BYUAn30b8A69+np+/77RD+lUGm9oxT6W
=0eLJ
-----END PGP SIGNATURE-----