[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh to NATed box fails

Jan Minar wrote:

On Thu, Jan 01, 2004 at 06:06:34PM -0500, Johann Koenig wrote:
On Thursday January  1 at 11:47pm
Jan Minar <Jan.Minar@seznam.cz> wrote:

On Thu, Jan 01, 2004 at 09:42:09PM +0000, Adam Barton wrote:
At least then a script kiddy won't simply find port 22 open and
start to bruteforce your ssh password. He has to scan higher than
normal to find your SSH which he/she is less likely to do.
This is a ``security by obscurity''; a naive approach that works by
giving you a warm fuzzy feeling that you've done your homework, which
lessens your alertness, so you won't ever notice the intruders.
Plus, a quick nmap scan will discover the open ports pretty quickly.

| % nmap -p 22,10002,1022 mental-graffiti.com | Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
| Warning:  You are not root -- using TCP pingscan rather than ICMP
| Interesting ports on 24-161-30-224.hvc.rr.com (
| (The 2 ports scanned but not shown below are in state: closed)
| Port       State       Service
| 22/tcp open ssh | | | Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds
| % nc mental-graffiti.com 22
| SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10

BTW, noone is going to bruteforce your passwords, it just isn't worth it.
There are more elegant and less expensive methods.


Yes, indeed a quick telnet from a even a windows machine to a port with sshd listening on will give the same also. So moving your ssh daemon to a high port by no means hides it. It simply makes it less likely that an opportunistic cracker will detect it.

For example, suppose when we find that a exploit for a new SSH vulnerability is being used to exploit servers on the internet. This exploit is bound to make it to the script kiddies sooner or later who will be targeting port 22 as they believe 'that this is the port ssh uses'. Even those who are scanning the high ports may not go to the length of banner grabbing (or be using a program that does it for them). As such, moving SSH to a high port makes sense here.

( I almost included the 'SSH-2.0-OpenSSH' in my original post, but didn't think I would be pulled up on it) :)

However, for a determined cracker, who wants to get your data in particular, moving the ports makes no difference as he will find it regardless and run the exploit and own you box. If all crackers on the net was of this variety then I think I would keep SSH on 22. But they aren't.

Do you agree that perhaps there is some wisdom in my advice?


Reply to: