Re: Securing SSH --> Change ports

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/02/2014 04:47 PM, Theodor Sigurjon Andresson wrote:
> To change it to unassigned privileged port would be a much better 
> idea if the user insists on changing it. I personally don't like
> the idea of security through obscurity at all. However if I
> remember correctly there are some programs that depend on SSH to be
> run on port 22. Usually easily changed but sometimes it can't be. I
> might be wrong though.

When I've changed ports, it's always been to a privileged port mainly
for the reasons you identify as risks. I usually do it to quite
logwatch complaining at all the false login attempts on port 22. I
know there are probably better ways to deal with that, but when it
comes to machines that are designed to be shelled in to from various
IP addresses, it's harder to design a firewall or hosts.deny that has
a low enough barrier.

- - Karsten

> ________________________________________ From: 
> centos-docs-bounces@xxxxxxxxxx [centos-docs-bounces@xxxxxxxxxx] on 
> behalf of Karsten Wade [kwade@xxxxxxxxxx] Sent: Thursday, October
> 02, 2014 22:49 To: centos-docs@xxxxxxxxxx Subject: Re:
>  Securing SSH --> Change ports
> 
> On 10/02/2014 03:45 PM, Theodor Sigurjon Andresson wrote:
>> In there you are almost telling people that security through 
>> obscurity is a good way. That might sometimes be true but in this
>>  case it could mean that you would be handing passwords and other
>>  data out.
> 
>> When you start SSH on port 22 it is done with root privileges 
>> because the root user is the only one that can use ports below 
>> 1024. Root is the only user that can listen to that port or do 
>> something with it. If you move the port to 2222 for example you 
>> move SSH to a port that can be used with out a privileged user. 
>> This would mean I could write a script that listens to port 2222
>>  and mimics SSH to capture the passwords. Changing the port of
>> SSH to 2222 or anything above 1024 makes SSH less secure. Pretty 
>> ironic that this is in the "Securing SSH" chapter.  This should 
>> never be done.
> 
>> Location: 
>> http://wiki.centos.org/HowTos/Network/SecuringSSH#head-3579222198adaf43a3ecbdc438ebce74da40d8ec
>
>>
>> 
> 
> username: TheodorAndresson
> 
>> _______________________________________________ CentOS-docs 
>> mailing list CentOS-docs@xxxxxxxxxx 
>> http://lists.centos.org/mailman/listinfo/centos-docs
> 
> 
> What do you think about using a privileged but unassigned port
> such as 101?
> 
> - Karsten _______________________________________________
> CentOS-docs mailing list CentOS-docs@xxxxxxxxxx 
> http://lists.centos.org/mailman/listinfo/centos-docs 
> _______________________________________________ CentOS-docs
> mailing list CentOS-docs@xxxxxxxxxx 
> http://lists.centos.org/mailman/listinfo/centos-docs
> 

- -- 
Karsten 'quaid' Wade        .^\          CentOS Doer of Stuff
http://TheOpenSourceWay.org    \  http://community.redhat.com
@quaid (identi.ca/twitter/IRC)  \v'             gpg: AD0E0C41
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQuOBYACgkQ2ZIOBq0ODEFsYACgpjpMPRU1zEo49A+eQ5/3kwvG
BYUAn30b8A69+np+/77RD+lUGm9oxT6W
=0eLJ
-----END PGP SIGNATURE-----
_______________________________________________
CentOS-docs mailing list
CentOS-docs@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos-docs




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Users]     [CentOS Virtualization]     [Linux Media]     [Asterisk]     [Netdev]     [X.org]     [Xfree86]     [Linux USB]     [Project Hail Cloud Computing]

  Powered by Linux