[CentOS] Securing SSH wiki article outdated
James Hogarth
james.hogarth at gmail.com
Fri Feb 13 10:41:21 UTC 2015
> On 12/02/15 20:03, Warren Young wrote:
> > Hi, just a quick note to whoever is maintaining this page:
> >
> > http://wiki.centos.org/HowTos/Network/SecuringSSH
> >
> > The procedure is missing the firewall-cmd calls necessary in EL7:
> >
> > firewall-cmd --add-port 2345/tcp
> > firewall-cmd --add-port 2345/tcp --permanent
> >
This is horrible advice anyway. It's not a good idea to run SSH on a port
greater than 1024 since if a crash exploit is used to kill the process a
non-root trojan process faking SSH to gather credentials could then bind on
that port trivially totally compromising the system.
If you really want to SSH to a port other than 22 for a little obscurity
use an iptables dnat to map the high port to local host 22 and block 22
from external connections.
That way SSH is still binding to a low port restricted to the root user and
you can still get a little of that security through obscurity being desired.
More information about the CentOS
mailing list