Re: ssh to NATed box fails
Jan Minar wrote:
On Thu, Jan 01, 2004 at 06:06:34PM -0500, Johann Koenig wrote:
On Thursday January 1 at 11:47pm
Jan Minar <Jan.Minar@seznam.cz> wrote:
On Thu, Jan 01, 2004 at 09:42:09PM +0000, Adam Barton wrote:
At least then a script kiddy won't simply find port 22 open and
start to bruteforce your ssh password. He has to scan higher than
normal to find your SSH which he/she is less likely to do.
This is a ``security by obscurity''; a naive approach that works by
giving you a warm fuzzy feeling that you've done your homework, which
lessens your alertness, so you won't ever notice the intruders.
Plus, a quick nmap scan will discover the open ports pretty quickly.
| % nmap -p 22,10002,1022 mental-graffiti.com
| Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
| Warning: You are not root -- using TCP pingscan rather than ICMP
| Interesting ports on 24-161-30-224.hvc.rr.com (188.8.131.52):
| (The 2 ports scanned but not shown below are in state: closed)
| Port State Service
| 22/tcp open ssh
| Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds
| % nc mental-graffiti.com 22
| SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10
BTW, noone is going to bruteforce your passwords, it just isn't worth it.
There are more elegant and less expensive methods.
Yes, indeed a quick telnet from a even a windows machine to a port with
sshd listening on will give the same also. So moving your ssh daemon to
a high port by no means hides it. It simply makes it less likely that an
opportunistic cracker will detect it.
For example, suppose when we find that a exploit for a new SSH
vulnerability is being used to exploit servers on the internet. This
exploit is bound to make it to the script kiddies sooner or later who
will be targeting port 22 as they believe 'that this is the port ssh
uses'. Even those who are scanning the high ports may not go to the
length of banner grabbing (or be using a program that does it for
them). As such, moving SSH to a high port makes sense here.
( I almost included the 'SSH-2.0-OpenSSH' in my original post, but
didn't think I would be pulled up on it) :)
However, for a determined cracker, who wants to get your data in
particular, moving the ports makes no difference as he will find it
regardless and run the exploit and own you box. If all crackers on the
net was of this variety then I think I would keep SSH on 22. But they
Do you agree that perhaps there is some wisdom in my advice?