SSH on a Non Standard Port

I recently posted a comment on FOSSwire.com in response to other comments condeming the author for suggesting moving ssh to a port besides 22 was “security through obscurity” and a worthless security measure.

I have argued this topic many times with many different people and felt that comment bears repeating for my downgrade.org audience.

— snip —

Gah! I have heard that argument over and over again about changing ssh to a non-standard port.

“security through obscurity is no security at all” Says the broken record.

I believe heavily in security metrics because numbers are awfully hard to argue with.

In a university environment a machine with ssh on port 22 in my DMZ would receive an average of ~100 invalid login attempts per day (averaged over the course of 2 months).

This same machine in the same DMZ running SSH on port 51234 received an average of zero… no, not a average of zero… just zero.

This effectively eliminates all scripted attacks, worms, Trojans, bots and most uninitiated real attackers.

In fact if you run it on a very high port — say 51234 — most people won’t even find it with a port scanner.

One would have to statically define the port range as most port scanners quit far before 51234.

At that rate scanning ports 1-51234 would take an insane amount of time per host, and most attackers scan huge blocks of hosts.

At that point hopefully an IDS/IPS would pick up the port scan and make the whole thing moot.

Seriously. Its not a fool proof security measure and I certainly wouldn’t use it as the only means of protecting SSH, but its an effective layer. And those same people that are so quick to spew out the “Security through obscurity” cliche are also the same that are quick to pull out the “Layered Security” ones.

— snip —

Leave a Reply

Your email address will not be published. Required fields are marked *

Navigation