[ale] Using ~/.ssh/config Better?
David Tomaschik
david at systemoverlord.com
Fri Apr 22 16:27:13 EDT 2011
Yes, but it won't show up on a scan like:
nmap -p 22 192.168.0.0/16
It's not security, it just keeps the logs quieter.
David
On Fri, Apr 22, 2011 at 4:00 PM, James Sumners <james.sumners at gmail.com> wrote:
> What's the saying? Security through obscurity is not security?
> Changing the port number doesn't hide the fact that it's sshd
> listening on that new port. As a test, I started sshd on port 24 in a
> VM:
>
> =========================
> $ nmap -A -p 24 localhost
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2011-04-22 15:54 EDT
> Interesting ports on localhost (127.0.0.1):
> PORT STATE SERVICE VERSION
> 24/tcp open ssh OpenSSH 5.5p1 Debian 6 (protocol 2.0)
> | ssh-hostkey: 1024 3c:af:bb:db:2f:87:d3:71:90:76:65:8c:ec:b6:b7:0f (DSA)
> |_ 2048 db:dc:48:19:94:ab:8d:68:a8:fc:89:79:6f:cb:63:09 (RSA)
> Service Info: OS: Linux
> =========================
>
> So if someone wants to scan your machine for an SSH listener they only
> have to change the -p value, e.g. `nmap -A -p 1-20000 example.com`. It
> might take them a while to complete that scan, but they'll find your
> SSH daemon. Thus, I don't think it is worth it to move the port
> number. It's one less thing for me to have to remember ("which port
> did I move it to?").
>
> If I had some sort of reason to move it then I would. Maybe my ISP
> blocks 22 (which they don't) or I want to try and get around some
> wi-fi pay wall. But until then, I just don't care enough.
>
>
> On Fri, Apr 22, 2011 at 2:23 PM, JD <jdp at algoloma.com> wrote:
>> I am sorta shocked that you use port 22, however. I'm running Fail2Ban,
>> but don't want to see any logs that aren't important so listening on a
>> non-default port nearly eliminates those bogus attempts.
>>
>> Is there a reason to ssh listen on port22 besides habit?
>> Perhaps your firewall allows outbound connections on that port?
>> Where I've worked, I always had to move my ssh listener to port 443 to
>> get outside at all. Anything that didn't go through their webproxy was
>> blocked on internal desktop subnets.
>
>
> --
> James Sumners
> http://james.roomfullofmirrors.com/
>
> "All governments suffer a recurring problem: Power attracts
> pathological personalities. It is not that power corrupts but that it
> is magnetic to the corruptible. Such people have a tendency to become
> drunk on violence, a condition to which they are quickly addicted."
>
> Missionaria Protectiva, Text QIV (decto)
> CH:D 59
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
--
David Tomaschik, RHCE, LPIC-1
System Administrator/Open Source Advocate
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
More information about the Ale
mailing list