Theodor Sigurjon Andresson
2014-Oct-02 22:45 UTC
[CentOS-docs] Securing SSH --> Change ports
In there you are almost telling people that security through obscurity is a good way. That might sometimes be true but in this case it could mean that you would be handing passwords and other data out. When you start SSH on port 22 it is done with root privileges because the root user is the only one that can use ports below 1024. Root is the only user that can listen to that port or do something with it. If you move the port to 2222 for example you move SSH to a port that can be used with out a privileged user. This would mean I could write a script that listens to port 2222 and mimics SSH to capture the passwords. Changing the port of SSH to 2222 or anything above 1024 makes SSH less secure. Pretty ironic that this is in the "Securing SSH" chapter. This should never be done. Location: http://wiki.centos.org/HowTos/Network/SecuringSSH#head-3579222198adaf43a3ecbdc438ebce74da40d8ec username: TheodorAndresson
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/02/2014 03:45 PM, Theodor Sigurjon Andresson wrote:> In there you are almost telling people that security through > obscurity is a good way. That might sometimes be true but in this > case it could mean that you would be handing passwords and other > data out. > > When you start SSH on port 22 it is done with root privileges > because the root user is the only one that can use ports below > 1024. Root is the only user that can listen to that port or do > something with it. If you move the port to 2222 for example you > move SSH to a port that can be used with out a privileged user. > This would mean I could write a script that listens to port 2222 > and mimics SSH to capture the passwords. Changing the port of SSH > to 2222 or anything above 1024 makes SSH less secure. Pretty ironic > that this is in the "Securing SSH" chapter. This should never be > done. > > Location: > http://wiki.centos.org/HowTos/Network/SecuringSSH#head-3579222198adaf43a3ecbdc438ebce74da40d8ec > >username: TheodorAndresson> > _______________________________________________ CentOS-docs mailing > list CentOS-docs at centos.org > http://lists.centos.org/mailman/listinfo/centos-docs >What do you think about using a privileged but unassigned port such as 101? - - Karsten - -- Karsten 'quaid' Wade .^\ CentOS Doer of Stuff http://TheOpenSourceWay.org \ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQt1pcACgkQ2ZIOBq0ODEEpMACeMdWaOLnXlwJNzKKGjhGopviq TVkAoJXSaHTe/7PmdAEhzzmSjkzL02es =y+y6 -----END PGP SIGNATURE-----
The context for ssh !22 is about what others could/would do to a ssh daemon. This includes script kiddies or some zero day exploit trolling for *easy* targets. If you have someone creating a listener on the server, you have an entirely different issue. How often do you randomly connect to some system on port 2222 and provide *your* username and password? I am *not* saying security through obscurity = security, but many IDS/IPS/anti-port scanners will begin defensive actions when you plow through ports looking for ssh connection. So instead of being an easier 1 port script kiddie target you *layer* defenses (including possible STO). Basically anything to slow down or deter or prevent an attack is good IMHO. Just my 2cents of course. pjwelsh On Thu, Oct 2, 2014 at 5:45 PM, Theodor Sigurjon Andresson < TheodorSiAn at kvenno.is> wrote:> In there you are almost telling people that security through obscurity is > a good way. > That might sometimes be true but in this case it could mean that you would > be handing passwords and other data out. > > When you start SSH on port 22 it is done with root privileges because the > root user is the only one that can use ports below 1024. Root is the only > user that can listen to that port or do something with it. If you move the > port to 2222 for example you move SSH to a port that can be used with out a > privileged user. This would mean I could write a script that listens to > port 2222 and mimics SSH to capture the passwords. Changing the port of SSH > to 2222 or anything above 1024 makes SSH less secure. Pretty ironic that > this is in the "Securing SSH" chapter. This should never be done. > > Location: > http://wiki.centos.org/HowTos/Network/SecuringSSH#head-3579222198adaf43a3ecbdc438ebce74da40d8ec > username: TheodorAndresson > > _______________________________________________ > CentOS-docs mailing list > CentOS-docs at centos.org > http://lists.centos.org/mailman/listinfo/centos-docs >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20141002/b47fb1a0/attachment-0004.html>
Theodor Sigurjon Andresson
2014-Oct-03 01:17 UTC
[CentOS-docs] Securing SSH --> Change ports
Yes, when securing your services you *layer* defenses that could include using STO. But when STO is set up in a wrong way it can lead to a security issue. It isn't good to protect your services to slow down or prevent an attack by opening up a security risk. As in this case changing the port of SSH to 2222 isn't a good way to include STO. It doesn't matter how big the risk is, you just don't want this issue to be there. If you want to include STO in your security measures then you have to do it without opening up a security risk because you might be opening up a security risk that could be dangerous. In my opinion that is the case with SSH to port 2222. Changing the port to an privileged unassigned or unused port is a better way to include STO in your security measures for SSH. That way you don't have the risk of another user listening on your SSH. ________________________________________ From: centos-docs-bounces at centos.org [centos-docs-bounces at centos.org] on behalf of PJ Welsh [pjwelsh at gmail.com] Sent: Thursday, October 02, 2014 23:49 To: Mail list for wiki articles Subject: Re: [CentOS-docs] Securing SSH --> Change ports The context for ssh !22 is about what others could/would do to a ssh daemon. This includes script kiddies or some zero day exploit trolling for *easy* targets. If you have someone creating a listener on the server, you have an entirely different issue. How often do you randomly connect to some system on port 2222 and provide *your* username and password? I am *not* saying security through obscurity = security, but many IDS/IPS/anti-port scanners will begin defensive actions when you plow through ports looking for ssh connection. So instead of being an easier 1 port script kiddie target you *layer* defenses (including possible STO). Basically anything to slow down or deter or prevent an attack is good IMHO. Just my 2cents of course. pjwelsh On Thu, Oct 2, 2014 at 5:45 PM, Theodor Sigurjon Andresson <TheodorSiAn at kvenno.is<mailto:TheodorSiAn at kvenno.is>> wrote: In there you are almost telling people that security through obscurity is a good way. That might sometimes be true but in this case it could mean that you would be handing passwords and other data out. When you start SSH on port 22 it is done with root privileges because the root user is the only one that can use ports below 1024. Root is the only user that can listen to that port or do something with it. If you move the port to 2222 for example you move SSH to a port that can be used with out a privileged user. This would mean I could write a script that listens to port 2222 and mimics SSH to capture the passwords. Changing the port of SSH to 2222 or anything above 1024 makes SSH less secure. Pretty ironic that this is in the "Securing SSH" chapter. This should never be done. Location: http://wiki.centos.org/HowTos/Network/SecuringSSH#head-3579222198adaf43a3ecbdc438ebce74da40d8ec username: TheodorAndresson _______________________________________________ CentOS-docs mailing list CentOS-docs at centos.org<mailto:CentOS-docs at centos.org> http://lists.centos.org/mailman/listinfo/centos-docs