[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OT: Safe to access SSH server from work?

On Thu, 5 May 2011, Rob Owens wrote:

I hesitate to mention this, because it will start an argument about
security through obscurity, but you can run your ssh server on a port
other than 22.  It really does nothing for security, but it will keep
your firewall logs a lot cleaner because it avoids pesky scripts that
circulate the internet, trying to brute force ssh servers.

Hi Rob. I'm glad you mentioned that it doesn't do anything for security. Yes it would keep logs a bit cleaner. I've never[1] changed the ssh port on any host and never been terribly worried about the state of the logs as a result.

Changing the port is only really viable for home servers. It can't reliably be done on any service used by a lot of people anymore than you can do this for any other service. You could of course do this if you are using SRV records (if the client supports it) but then you throw away the obscurity aspect anyway.

The idea of changing the port number for SSH seems to stem from the idea that SSH is somehow more dangerous to run than another service and so needs special treatment. I think this idea comes from the fact that a successful SSH login will give you a shell and that sounds a bit scary. The thing to remember is that exploits of other network services normally involve the execution of arbitrary code. And what is the arbitrary code that they run? It is often a shell.

Most Linux systems will be using OpenSSH which comes from the OpenBSD project. It is likely the best audited code on many Linux systems and is thus likely to be less of a threat to system security than running many other services.

Treat all network services as a potential threat whether they are designed to give you a shell or not. Keep the system patched, restrict access to the service to legitimate users if you can, and follow best practice for locking down each service.

[1] I've been using SSH since 1996 or 1997.



Email: robert@timetraveller.org		Linux counter ID #16440
IRC: Solver (OFTC & Freenode)
Web: http://www.practicalsysadmin.com
Contributing member of Software in the Public Interest (http://spi-inc.org/)
Open Source: The revolution that silently changed the world

Reply to: