[CentOS] Running SSH on a different port

Tue Oct 27 01:28:09 UTC 2009
Ryan B. Lynch <ryan.b.lynch at gmail.com>

On 10/26/2009 07:41 PM, Michael Kress wrote:
> ML wrote:
>   
>> So I added Port 2977 Under Host *
>>
>> So I have:
>> Host *
>> Port 2977
>>   
>>     
> Never post your real port number here. Otherwise you don't need to hide
> it from the public. Right? ;-)
>   

I'm not sure if this is a serious security suggestion, or a joke. (If
it's a joke, sorry I missed the boat.) This is probably going to look
like a troll, but I really do feel sorry for anyone who takes this kind
of suggestion seriously.

Whatever alternate SSH port number you select is NOT a secret, and you
have a false impression of security if you think of it as a secret.
Thinking that "My system is more secure because I run SSH on an
alternate port" is just fooling yourself.

If you're already taking appropriate precautions elsewhere, then
changing the port number is really just a convenience/preference, to
make your logs a little less noisy. Security-wise, it's window dressing,
and it'll really only present a problem for the laziest attackers or
bots. Your secret SSH port number is only a secret for about as long as
it takes for a wide port scan to run. (And unless you've implemented
IP-level rate-limiting on a per-remote-source-IP basis, that's a much
shorter time than you think.)

Moving the SSH port will help cut down on the rate at which dictionary
bots (account/password guessers) will hit you up. But do those
dictionary bots really pose a security threat to you? Maybe, if your SSH
server isn't patched and up-to-date, or if you haven't audited/locked
your local accounts, or if you don't enforce strong passwords or
keys-only logins.

If it's really that important that you cut the rate down, the iptables
'recent' module is a fantastic tool. Combined with some whitelisting,
you can really cut the noise down, without inconveniencing yourself at
all. If you find 'iptables' too intimidating, there are a few
log-watching scripts that will dynamically block source IPs on-the-fly
as the remote IPs roll into '/var/log/secure'.

(I'm just going to apologize now to anybody I've offended, if it means
anything--this is just one guy's opinion on the Internet, after all.)

-Ryan