[ Check out my latest post on the HP Security Blog: “The Secure Web Series, Part 2: How to Avoid User Account Harvesting” ]
Over on Hacker News there’s a story running about why it’s not a good idea to run SSH on an alternative port.
Let’s take his points one by one:
- He starts by blasting security by obscurity, which is a favorite red herring for people who almost understand the topic. There’s a difference between using obscurity as a layer and using it as your ONLY layer, and it’s not a small one.
- Next he talks about this non-root listener issue. He claims that you shouldn’t run your SSH daemon on a non-privileged port because anyone can spin up a daemon up there. Great point, except you can still do that even if you run your main one on 22. Or, to put it another way, if you have random people spinning up daemons on your boxes, you don’t have an SSH problem.
- His next point is that many applications naturally use 22, and would be confused by it being somewhere else. That’s the point of moving it—malware and potential zero-days will think it’s there, too.
- From there he mentions port-knocking, which, ironically, is an obscurity layer.
Let me clarify quickly, and you can read more here if you want.
- Security is only “by obscurity” if it’s the ONLY layer—not if it’s added on top of existing security. If you have a solid SSH configuration, e.g. patched, passwords disabled, use of keys, etc., and you THEN move the port, you’ve added security. [ experiment result ]
- A great way to see this is to look at a modern military tank. They use camouflage, no? Why would they do that? Doesn’t that make them more vulnerable? No, it doesn’t. Painting your armor the color of the surroundings doesn’t remove your armor, it just makes it less likely that someone will target you.
- Just to see what would happen, I tried to gather some actual data on this and ran two SSH ports for a few days. The result was something like 5 connections on the non-standard port, compared to tens of thousands on 22. Now imagine there’s a new SSH zero-day out, and ask yourself which config is more likely to get popped.
Bottom line: be wary of the “by obscurity” argument. It’s used incorrectly more often than not, with the article above being a case in point.
Thank you for visiting.blog comments powered by Disqus