Re: ssh to NATed box fails

To: debian-user@lists.debian.org
Subject: Re: ssh to NATed box fails
From: Adam Barton <adambarton@mac.com>
Date: Fri, 02 Jan 2004 01:24:43 +0000
Message-id: <[🔎] 3FF4C85B.1030402@mac.com>
In-reply-to: <[🔎] 20040101232737.GB10706@kontryhel>
References: <[🔎] 20040101193039.GB17547@debian> <[🔎] 3FF49431.6000805@mac.com> <[🔎] 20040101224736.GB10025@kontryhel> <[🔎] 20040101180634.4846598e@note> <[🔎] 20040101232737.GB10706@kontryhel>

Jan Minar wrote:

On Thu, Jan 01, 2004 at 06:06:34PM -0500, Johann Koenig wrote:

On Thursday January  1 at 11:47pm
Jan Minar <Jan.Minar@seznam.cz> wrote:

On Thu, Jan 01, 2004 at 09:42:09PM +0000, Adam Barton wrote:

At least then a script kiddy won't simply find port 22 open and
start to bruteforce your ssh password. He has to scan higher than
normal to find your SSH which he/she is less likely to do.

This is a ``security by obscurity''; a naive approach that works by
giving you a warm fuzzy feeling that you've done your homework, which
lessens your alertness, so you won't ever notice the intruders.

Plus, a quick nmap scan will discover the open ports pretty quickly.

| % nmap -p 22,10002,1022 mental-graffiti.com| Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )

| Warning:  You are not root -- using TCP pingscan rather than ICMP
| Interesting ports on 24-161-30-224.hvc.rr.com (24.161.30.224):
| (The 2 ports scanned but not shown below are in state: closed)
| Port       State       Service

| 22/tcp open ssh||| Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds

| % nc mental-graffiti.com 22
| SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10

BTW, noone is going to bruteforce your passwords, it just isn't worth it.
There are more elegant and less expensive methods.

Cheers,
Jan.

Yes, indeed a quick telnet from a even a windows machine to a port withsshd listening on will give the same also. So moving your ssh daemon toa high port by no means hides it. It simply makes it less likely that anopportunistic cracker will detect it.

For example, suppose when we find that a exploit for a new SSHvulnerability is being used to exploit servers on the internet. Thisexploit is bound to make it to the script kiddies sooner or later whowill be targeting port 22 as they believe 'that this is the port sshuses'. Even those who are scanning the high ports may not go to thelength of banner grabbing (or be using a program that does it forthem). As such, moving SSH to a high port makes sense here.

( I almost included the 'SSH-2.0-OpenSSH' in my original post, butdidn't think I would be pulled up on it) :)

However, for a determined cracker, who wants to get your data inparticular, moving the ports makes no difference as he will find itregardless and run the exploit and own you box. If all crackers on thenet was of this variety then I think I would keep SSH on 22. But theyaren't.


Do you agree that perhaps there is some wisdom in my advice?


Adam.

Reply to:

Follow-Ups:
- Re: ssh to NATed box fails
  - From: Jan Minar <Jan.Minar@seznam.cz>

References:
- ssh to NATed box fails
  - From: Pigeon <jah.pigeon@ukonline.co.uk>
- Re: ssh to NATed box fails
  - From: Adam Barton <adambarton@mac.com>
- Re: ssh to NATed box fails
  - From: Jan Minar <Jan.Minar@seznam.cz>
- Re: ssh to NATed box fails
  - From: Johann Koenig <johann@mental-graffiti.com>
- Re: ssh to NATed box fails
  - From: Jan Minar <Jan.Minar@seznam.cz>

Prev by Date: Re: Outdated package, is it possible to help?
Next by Date: Re: update from stable to testing ?
Previous by thread: Re: ssh to NATed box fails
Next by thread: Re: ssh to NATed box fails
Index(es):
- Date
- Thread