[CentOS] Securing SSH wiki article outdated

James Hogarth james.hogarth at gmail.com
Fri Feb 13 10:41:21 UTC 2015


> On 12/02/15 20:03, Warren Young wrote:
> > Hi, just a quick note to whoever is maintaining this page:
> >
> >   http://wiki.centos.org/HowTos/Network/SecuringSSH
> >
> > The procedure is missing the firewall-cmd calls necessary in EL7:
> >
> >   firewall-cmd --add-port 2345/tcp
> >   firewall-cmd --add-port 2345/tcp --permanent
> >

This is horrible advice anyway. It's not a good idea to run SSH on a port
greater than 1024 since if a crash exploit is used to kill the process a
non-root trojan process faking SSH to gather credentials could then bind on
that port trivially totally compromising the system.

If you really want to SSH to a port other than 22 for a little obscurity
use an iptables dnat to map the high port to local host 22 and block 22
from external connections.

That way SSH is still binding to a low port restricted to the root user and
you can still get a little of that security through obscurity being desired.



More information about the CentOS mailing list