Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The argument for moving SSH off port 22

Published: 2015-01-05
Last Updated: 2015-01-06 00:08:22 UTC
by Rick Wanner (Version: 1)
21 comment(s)

An interesting discussion is occurring on reddit on whether Secure Shell (SSH) should be deployed on a port other than 22 to reduce the likelihood of being compromised.  One interesting comment is that security by obscurity is not a security measure, but a way to delay the attacker, so it provides little value.  While it is true that it is difficult to stop a determined attacker who is targetting you, any measure that stops the random script kiddies and scanners from poking at your SSH is not completely useless.

The truth is that I have been deploying SSH on non-standard ports (typically 52222) for more than 15 years on the Internet facing servers I manage.   Of course this is not the only security measure I employ.  I patch daily; use hosts.allow where practical, keys and passphrases instead of passwords, and deploy DenyHosts.  Do I deploy on a non-standard port because of the security advantages to be had by security by obscurity?  Not at all!  I deploy SSH on a non-standard port because it eliminates all the noise that is every present on port 22.  The continual scanning and attempted brute forcing of SSH that has been on the Internet since the beginning of time, and seems to get worse every year, generates a lot of noise in the logs and is at best a nuisance and at worst service affecting for the server.  Why put up with it if you don’t have to?

It decreases the volume so much that I often have to test my defenses to be sure they are working. Sometimes I even deploy a honeypot on port 22 to see what the bad guys are up to. (-;


-- Rick Wanner MSISE - rwanner at isc dot sans dot edu- - Twitter:namedeplume (Protected)

21 comment(s)
Diary Archives