Re: Securing SSH --> Change ports

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/03/2014 04:17 AM, Theodor Sigurjon Andresson wrote:
Yes, when securing your services you *layer* defenses that could include using STO. But when STO is set up in a wrong way it can lead to a security issue. It isn't good to protect your services to slow down or prevent an attack by opening up a security risk. As in this case changing the port of SSH to 2222 isn't a good way to include STO. It doesn't matter how big the risk is, you just don't want this issue to be there. If you want to include STO in your security measures then you have to do it without opening up a security risk because you might be opening up a security risk that could be dangerous. In my opinion that is the case with SSH to port 2222. Changing the port to an privileged unassigned or unused port is a better way to include STO in your security measures for SSH. That way you don't have the risk of another user listening on your SSH. 
I agree with you on two things
- changing the default port is not a security measure, it just lowers the noise in the logs and takes you a bit out of the path of automated scripts looking for easy targets.
- changing the default port to anything above 1024 creates a greater risk than using one below 1024

On the other hand, even if it's easier to start a rouge daemon impersonating sshd to listen on a higher port, if you have a malevolent user already sniffing on a port - any port - from my point of view you already have bigger issues than the potential risk you mentioned.


Incidentally I am a fan of using iptables (recent match) to limit the number of admissible attempts from any given IP to connect to sshd ( yes, I know, it has nothing to do with the initial concern you raised )
_______________________________________________
CentOS-docs mailing list
CentOS-docs@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos-docs

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Users]     [CentOS Virtualization]     [Linux Media]     [Asterisk]     [Netdev]     [X.org]     [Xfree86]     [Linux USB]     [Project Hail Cloud Computing]

  Powered by Linux