Changing sshd Port Numbers Continues To Be A Bad Idea

If you were a fan of my post last month that was basically arguing that you shouldn’t change sshd’s default port ┬áthere’s another great post on the topic by Tom Ryder over at his blog, Arabesque. He has a couple points that I didn’t have. You should read his stuff.

If you’re not a fan of our point of view you now have another comment section where you can argue the virtues of security through obscurity.

5 thoughts on “Changing sshd Port Numbers Continues To Be A Bad Idea”

  1. Thanks, I agree. Curious and kind of on the same topic – what’s your stance on naming servers obscure names that have no meaning, like planets or greek gods, instead of something meaningful like the state/city/site/OStype/etc ?

  2. If you’re making ports non-standard, it’s because you’re trying to ensure random outsiders aren’t connecting to your ports.

    In which case you don’t need to change your ports, you need to firewall them and only grant access from certain IPs. Or at the very least, use TCP wrappers – many distributions already have that set up for SSH in their packages. Debian and Ubuntu immediately come to mind.

  3. On the LAN, SSH is accessible on the default proper port 22. Makes life easier. On the router, though, I forward some obscure port to port 22 on my server. This eliminates the non-privileged port problem described in the article as well as pretty much all the other ones too. Still a minor annoyance for configuring the proper port when remoting in, but that’s it. My reason for doing it is to keep the noise in my logs lower. And to confront the points he made against this: yes I rotate logs, use rate limiting, automated banning, and other specific iptables rules. Even with that, changing the port makes a big enough difference. It’s not security and I don’t pretend for it to be, but it keeps a lot of crap out of my logs I’d have to sort through.

Comments are closed.