[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How much difference does it make to run ssh on a different port number?

hi y chris 

On Mon, 3 Oct 2005, Chris Humphries wrote:

> +------------------------------------------------------------------------------
> | On (03/10/05 16:07), Tarapia Tapioco wrote:
> | 
> | Occasionally people recommend running sshd on a different port number
> | (not 22) to reduce the number of cracking attempts (dictionary
> | attacks).
> | 
> | Does this really make a big difference?

no ... zero ... 

but what does do in reality:

	- *you* have to do extra work to get around to use the new port 2222

	- *you* are STILL susceptible to ssh attacks, as the attacking
	program can run the ssh attacks on ALL ports till it finds the
	vulnerability it is attacking

	- *you* did NOT harden/upgrade your vulnerable ssh to the latest
	and greatest

	- *you* probably still did NOT change your ssh config
	  which should be done by 99.99% of the users of ssh
		- allow incoming conections only from
		- disallow incoming root login attempts

	- *you* gave up the right for FREE security audits on port 22

	- *you* still did NOT take evasive action to limit the damage
	they can do if they DID get in on any port by attacking sshd

	- *you* still did NOT create a intruder alarm system that they
	are INSIDE your machine... 

		- those incoming attacks are just FREE audits and
		is just a nuisance if you know(think) your system 
		is secure

- if the purpose of the attacker is to just create an inconvenience for
  you, than they have succeeded in their attack when you change port#
  and no other changes

- if the purpose of the attacker is to take control of your PC
  and rm -rf /  or run irc chat or install "those" pictures than
  again, you have NOT prevented that from happening by changing port#

- i always assume the cracker is IN the server already, and i prefer
  to do damage control to minimize what they can do as root ...

	- turn off all passwordless login ... since they can log
	into all your other PCs too including work place

	- i dont care the they rm -rf / and i'll try to have a backup plan
	to recover in a few minutes, but more importantly, i want to know
	"WHO" they are and how they got in and when and where ...

> Changing the port just stops attempts from being logged, in the way
> you log them.

and if that is bothersome, as chris said,  don't log it
which is again a worst idea, but it solves your problem of seeing the
incoming attacks

> Though it is very annoying, there is nothing you can do to stop it 

bingo ...

> If it bothers you to see the logs, don't log it.


> If you feel scared about your password, pick stronger passwords and you
> can even use john the ripper to test your passwords. 

bingo ...
and do NOT allow incoming connections from work or home or the hotel
or the airport or wireless ..etc..etc..
and disallow their free access to your network ( turn of dhcp )

> Just make sure your software is up to date and your passwords are good, and
> you'll be fine. Again, if you don't like the logs, don't look or store it ;)

and apply all the security patches and security proceedures and protocols
and more importantly ... SAVE your data somewhere else too

- at least do all the steps described in the "debian hardening"


c ya

Reply to: