Re: How much difference does it make to run ssh on a different port number?
hi y chris
On Mon, 3 Oct 2005, Chris Humphries wrote:
> +------------------------------------------------------------------------------
> | On (03/10/05 16:07), Tarapia Tapioco wrote:
> |
> | Occasionally people recommend running sshd on a different port number
> | (not 22) to reduce the number of cracking attempts (dictionary
> | attacks).
> |
> | Does this really make a big difference?
no ... zero ...
but what does do in reality:
- *you* have to do extra work to get around to use the new port 2222
- *you* are STILL susceptible to ssh attacks, as the attacking
program can run the ssh attacks on ALL ports till it finds the
vulnerability it is attacking
- *you* did NOT harden/upgrade your vulnerable ssh to the latest
and greatest
- *you* probably still did NOT change your ssh config
which should be done by 99.99% of the users of ssh
- allow incoming conections only from 192.168.1.3
- disallow incoming root login attempts
- *you* gave up the right for FREE security audits on port 22
- *you* still did NOT take evasive action to limit the damage
they can do if they DID get in on any port by attacking sshd
- *you* still did NOT create a intruder alarm system that they
are INSIDE your machine...
- those incoming attacks are just FREE audits and
is just a nuisance if you know(think) your system
is secure
- if the purpose of the attacker is to just create an inconvenience for
you, than they have succeeded in their attack when you change port#
and no other changes
- if the purpose of the attacker is to take control of your PC
and rm -rf / or run irc chat or install "those" pictures than
again, you have NOT prevented that from happening by changing port#
- i always assume the cracker is IN the server already, and i prefer
to do damage control to minimize what they can do as root ...
- turn off all passwordless login ... since they can log
into all your other PCs too including work place
- i dont care the they rm -rf / and i'll try to have a backup plan
to recover in a few minutes, but more importantly, i want to know
"WHO" they are and how they got in and when and where ...
> Changing the port just stops attempts from being logged, in the way
> you log them.
and if that is bothersome, as chris said, don't log it
which is again a worst idea, but it solves your problem of seeing the
incoming attacks
> Though it is very annoying, there is nothing you can do to stop it
bingo ...
> If it bothers you to see the logs, don't log it.
:-)
> If you feel scared about your password, pick stronger passwords and you
> can even use john the ripper to test your passwords.
bingo ...
and do NOT allow incoming connections from work or home or the hotel
or the airport or wireless ..etc..etc..
and disallow their free access to your network ( turn of dhcp )
> Just make sure your software is up to date and your passwords are good, and
> you'll be fine. Again, if you don't like the logs, don't look or store it ;)
and apply all the security patches and security proceedures and protocols
and more importantly ... SAVE your data somewhere else too
- at least do all the steps described in the "debian hardening"
http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html
c ya
alvin
Reply to: