[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OT: Safe to access SSH server from work?

Robert Brockway <robert@timetraveller.org> wrote:
> Yes it would keep logs a bit cleaner.  I've never[1] changed the ssh port 
> on any host and never been terribly worried about the state of the logs as 
> a result.

I tend to take a different view: if I can get rid of "rubbish" from the
logs then it makes it easier for a log scanner (or me) to see potentially
important issues - there's less potential for a false positive.

> Changing the port is only really viable for home servers.  It can't 
> reliably be done on any service used by a lot of people anymore than you 
> can do this for any other service.

At work we run public ssh service on one tightly controlled
system. Actually, that system is configured to use certificate based
login, and the only thing that such accounts can run is sftp. We also use
IP based ACLs within the ssh configuration to help ensure that internal
system accounts cannot be used to login to this box from outside the

This is on port 22, although given the amount of hassle we've had
getting our customers to use sftp instead of FTP, it would have been
only a miniscule incremental change to insist on a different port.

At home I run ssh on a different port (again with a certain amount of
lock-down). The difference here is that there is no 24x7 IT Services
group to monitor suspicious activity: there's only me.

> The idea of changing the port number for SSH seems to stem from the idea 
> that SSH is somehow more dangerous to run than another service and so 
> needs special treatment.

In a skript kiddy world it is more "dangerous" as successful login does
lead to a shell. You are right in that unpatched faulty services can
also lead to a compromise, which is why a public facing system should
run as few of them as possible.

> Most Linux systems will be using OpenSSH which comes from the OpenBSD 
> project.  It is likely the best audited code on many Linux systems and is 
> thus likely to be less of a threat to system security than running many 
> other services.

Er, the Debian ssh flaw from a very few years ago still occasionally
gets thrown at me, as part of some "eeww, you run Linux, don't you" FUD.

> [1] I've been using SSH since 1996 or 1997.

Snap :-)


Reply to: