On Fri, 2015-02-13 at 09:46 -0500, Lamar Owen wrote:> On 02/13/2015 09:15 AM, Chris Adams wrote: > > Yeah, the old "move stuff to alternate ports" thing is largely a waste > > of time and just makes it more difficult for legitimate use. With > > large bot networks and tools like zmap, finding services on alternate > > ports is not that hard for the "bad guys".> Having SSH on 22 is lower-hanging fruit than having SSH on a different > port. Sure, an NBA all-star will be able to reach the apples at the top > of the tree easily, but most people are not NBA all-stars. Most > port-scanners do not scan all possible ports. > > And I am fully aware that people in the 'it's a waste of time' camp are > unmoved by that. It's not worth arguing about; those who move to > non-standard ports are going to want to do it anyway.Lamar's comments are very sensible. I always change the SSH port to something conspicuously different. Every server has a different and difficult to guess SSH port number with access restricted to a few IP addresses. Waste of time = all the time and energy required to clean-up after a hacker's breech when a few seconds work selecting a different port could make a beneficial improvement to security. -- Regards, Paul. England, EU. Je suis Charlie.
On Fri, February 13, 2015 9:05 am, Always Learning wrote:> > On Fri, 2015-02-13 at 09:46 -0500, Lamar Owen wrote: > >> On 02/13/2015 09:15 AM, Chris Adams wrote: >> > Yeah, the old "move stuff to alternate ports" thing is largely a waste >> > of time and just makes it more difficult for legitimate use. With >> > large bot networks and tools like zmap, finding services on alternate >> > ports is not that hard for the "bad guys". > >> Having SSH on 22 is lower-hanging fruit than having SSH on a different >> port. Sure, an NBA all-star will be able to reach the apples at the top >> of the tree easily, but most people are not NBA all-stars. Most >> port-scanners do not scan all possible ports. >> >> And I am fully aware that people in the 'it's a waste of time' camp are >> unmoved by that. It's not worth arguing about; those who move to >> non-standard ports are going to want to do it anyway. > > Lamar's comments are very sensible. > > I always change the SSH port to something conspicuously different. Every > server has a different and difficult to guess SSH port number with > access restricted to a few IP addresses. > > Waste of time = all the time and energy required to clean-up after a > hacker's breech when a few seconds work selecting a different port could > make a beneficial improvement to security. >Just to mention (even though someone already mentioned that): changing port numbers, or, say removing disclosure by the daemon what software, version, ... it is does not really add security. Security through obscurity is only considered to be efficient by Windows folks. Quite wrongfully IMHO. So, I would suggest to not do these "non-standard" things fooling yourself in wrongful feeling of better security. But instead, maintain the daemons updated. Keep passwords reasonably sophisticated. Do not start unnecessary services. Defend against brute force attacks (I use "--hitcount" option of iptabels on Linuxes and sshguard on FreeBSD). And speaking of security: maintain system free of local exploits (update, update, update...), that is if (when I always consider it for my systems) the bad guys are already in, they can not successfully elevate privileges. Each of the above is like big chapter on system security each said in one short phrase. And most importantly, read good fundamental Unix/Linux system book, and revisit your system configurations (from security point of view) while reading. Just my $0.02 Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Always Learning wrote:> > On Fri, 2015-02-13 at 09:46 -0500, Lamar Owen wrote: > >> On 02/13/2015 09:15 AM, Chris Adams wrote: >> > Yeah, the old "move stuff to alternate ports" thing is largely a waste >> > of time and just makes it more difficult for legitimate use. With >> > large bot networks and tools like zmap, finding services on alternate >> > ports is not that hard for the "bad guys". > >> Having SSH on 22 is lower-hanging fruit than having SSH on a different >> port. Sure, an NBA all-star will be able to reach the apples at the top >> of the tree easily, but most people are not NBA all-stars. Most >> port-scanners do not scan all possible ports. >> >> And I am fully aware that people in the 'it's a waste of time' camp are >> unmoved by that. It's not worth arguing about; those who move to >> non-standard ports are going to want to do it anyway. > > Lamar's comments are very sensible. > > I always change the SSH port to something conspicuously different. Every > server has a different and difficult to guess SSH port number with > access restricted to a few IP addresses.<snip> I disagree - I am in the "waste of time" camp. The reality is that only script kiddies start out by trying 22 (and I *do* mean script kiddies - I've seen attempts to ssh in that were obviously from warez, man, where they were too stupid to fill in ___ with a username, or salt. All the others, I figure they don't need to be major league, just someone with a clue, who'll run a scan; in fact, I'd expect them to run a scan just to see what IPs were visible, and I know that if I was writing a scan, I don't assume that I'm *so* brilliant that I'm the only one to think of scanning ports < 1k while looking for systems that I might hit. mark
> On Feb 13, 2015, at 9:03 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: > > ...changing port numbers...does not really add security. Security through > obscurity is only considered to be efficient by Windows folks.?Security through obscurity? is an overused mantra of derision. Originally, it was a cry against systems where obscurity was the *only* security measure taken. You could legitimately use it today against software that uses a Caesar cipher instead of AES, or against an admin who moves a publicly-visible file to a nonstandard location to hide it instead of changing its permissions away from world-readable. Obscurity as an addition to other forms of strength has been a useful tactic since before the Roman Empire was founded. ??that general?is successful in defense whose opponent does not know what to attack.? ? Sun Tzu, approx 500 BCE Moving the sshd listening port greatly cuts down on the amount of log spam you get from bots. Yes, the script kiddies can still find your server. But before you dismiss this tactic, try the experiment. Move your sshd to a different port and see what happens to your log spam. Another legitimate reason to move the SSH port is to cope with overly-restrictive outbound firewalls on other people?s networks. We have one SSH server that listens on port 110 because the site that logs into it has unconditionally blocked port 22 outbound, and we can?t get the local admin to open that port up for us. If you want to talk about naive security associated with Windows admins, let?s talk about admins who block SSH, which is almost never a *successful* attack vector, while still allowing outbound POP3 connections in a world where email is probably the #1 vector. :facepalm:
On Fri, 2015-02-13 at 10:03 -0600, Valeri Galtsev wrote:> On Fri, February 13, 2015 9:05 am, Always Learning wrote:> > I always change the SSH port to something conspicuously different. Every > > server has a different and difficult to guess SSH port number with > > access restricted to a few IP addresses.> Just to mention (even though someone already mentioned that): changing > port numbers, or, say removing disclosure by the daemon what software, > version, ... it is does not really add security. Security through > obscurity is only considered to be efficient by Windows folks. Quite > wrongfully IMHO.Changing the SSH port is the *START* of extra security (no Port 22 here) - not the end of my efforts. SSH ports are 'protected' by restricting access from and to designated IPs. -- Regards, Paul. England, EU. Je suis Charlie.
On Fri, 2015-02-13 at 11:21 -0500, m.roth at 5-cent.us wrote:> I disagree - I am in the "waste of time" camp. The reality is that only > script kiddies start out by trying 22 (and I *do* mean script kiddies - > I've seen attempts to ssh in that were obviously from warez, man, where > they were too stupid to fill in ___ with a username, or salt. All the > others, I figure they don't need to be major league, just someone with a > clue, who'll run a scan; in fact, I'd expect them to run a scan just to > see what IPs were visible, and I know that if I was writing a scan, I > don't assume that I'm *so* brilliant that I'm the only one to think of > scanning ports < 1k while looking for systems that I might hit.Changing SSH port to a non-standard port is the beginning. Restricting access to that port to a few IPs is another layer of protection .... and then more things are done to lessen the chances of unauthorised access. -- Regards, Paul. England, EU. Je suis Charlie.