Changing sshd Port Numbers Continues To Be A Bad Idea

by Bob Plankers on November 20, 2012 · 5 comments

in System Administration

If you were a fan of my post last month that was basically arguing that you shouldn’t change sshd’s default port  there’s another great post on the topic by Tom Ryder over at his blog, Arabesque. He has a couple points that I didn’t have. You should read his stuff.

If you’re not a fan of our point of view you now have another comment section where you can argue the virtues of security through obscurity.

{ 4 comments }

rob November 21, 2012 at 11:20 AM

Thanks, I agree. Curious and kind of on the same topic – what’s your stance on naming servers obscure names that have no meaning, like planets or greek gods, instead of something meaningful like the state/city/site/OStype/etc ?

Ernie November 21, 2012 at 12:50 PM

If you’re making ports non-standard, it’s because you’re trying to ensure random outsiders aren’t connecting to your ports.

In which case you don’t need to change your ports, you need to firewall them and only grant access from certain IPs. Or at the very least, use TCP wrappers – many distributions already have that set up for SSH in their packages. Debian and Ubuntu immediately come to mind.

Miademora November 21, 2012 at 1:04 PM

Having less noise to deal with is a huge benefit in my experience. Depends on your servercount though.

Defron November 25, 2012 at 6:07 PM

On the LAN, SSH is accessible on the default proper port 22. Makes life easier. On the router, though, I forward some obscure port to port 22 on my server. This eliminates the non-privileged port problem described in the article as well as pretty much all the other ones too. Still a minor annoyance for configuring the proper port when remoting in, but that’s it. My reason for doing it is to keep the noise in my logs lower. And to confront the points he made against this: yes I rotate logs, use rate limiting, automated banning, and other specific iptables rules. Even with that, changing the port makes a big enough difference. It’s not security and I don’t pretend for it to be, but it keeps a lot of crap out of my logs I’d have to sort through.

Comments on this entry are closed.

{ 1 trackback }

Previous post:

Next post: