Re: OT: Safe to access SSH server from work?

To: debian-user@lists.debian.org
Subject: Re: OT: Safe to access SSH server from work?
From: Robert Brockway <robert@timetraveller.org>
Date: Sat, 7 May 2011 02:16:45 +1000 (EST)
Message-id: <[🔎] alpine.DEB.2.00.1105070154560.7607@castor.opentrend.net>
In-reply-to: <[🔎] 20110506005412.GD17068@aurora.owens.net>
References: <[🔎] BANLkTinFavrwh5NcWFcdJCE8+M-ja5=UXw@mail.gmail.com> <[🔎] 20110505220902.GF13057@desktop> <[🔎] 201105051546.27573.CACook@quantum-sci.com> <[🔎] 20110506005412.GD17068@aurora.owens.net>

On Thu, 5 May 2011, Rob Owens wrote:

I hesitate to mention this, because it will start an argument about
security through obscurity, but you can run your ssh server on a port
other than 22.  It really does nothing for security, but it will keep
your firewall logs a lot cleaner because it avoids pesky scripts that
circulate the internet, trying to brute force ssh servers.

Hi Rob. I'm glad you mentioned that it doesn't do anything for security.Yes it would keep logs a bit cleaner. I've never[1] changed the ssh porton any host and never been terribly worried about the state of the logs asa result.

Changing the port is only really viable for home servers. It can'treliably be done on any service used by a lot of people anymore than youcan do this for any other service. You could of course do this if you areusing SRV records (if the client supports it) but then you throw away theobscurity aspect anyway.

The idea of changing the port number for SSH seems to stem from the ideathat SSH is somehow more dangerous to run than another service and soneeds special treatment. I think this idea comes from the fact that asuccessful SSH login will give you a shell and that sounds a bit scary.The thing to remember is that exploits of other network services normallyinvolve the execution of arbitrary code. And what is the arbitrary codethat they run? It is often a shell.

Most Linux systems will be using OpenSSH which comes from the OpenBSDproject. It is likely the best audited code on many Linux systems and isthus likely to be less of a threat to system security than running manyother services.

Treat all network services as a potential threat whether they are designedto give you a shell or not. Keep the system patched, restrict access tothe service to legitimate users if you can, and follow best practice forlocking down each service.


[1] I've been using SSH since 1996 or 1997.

Cheers,

Rob

--
Email: robert@timetraveller.org		Linux counter ID #16440
IRC: Solver (OFTC & Freenode)
Web: http://www.practicalsysadmin.com
Contributing member of Software in the Public Interest (http://spi-inc.org/)
Open Source: The revolution that silently changed the world

Reply to:

Follow-Ups:
- Re: OT: Safe to access SSH server from work?
  - From: Chris Davies <chris-usenet@roaima.co.uk>

References:
- OT: Safe to access SSH server from work?
  - From: George <pinkisntwell@gmail.com>
- Re: OT: Safe to access SSH server from work?
  - From: Brian <ad44@cityscape.co.uk>
- Re: OT: Safe to access SSH server from work?
  - From: CACook@quantum-sci.com
- Re: OT: Safe to access SSH server from work?
  - From: Rob Owens <rowens@ptd.net>

Prev by Date: Re: Multiple instances of udev daemon?
Next by Date: Loss of connectivity on recent testing updates
Previous by thread: Re: OT: Safe to access SSH server from work?
Next by thread: Re: OT: Safe to access SSH server from work?
Index(es):
- Date
- Thread