[vox-tech] Why change default ssh port?
Micah J. Cowan
micah at cowan.name
Mon Jun 12 12:23:59 PDT 2006
On Mon, Jun 12, 2006 at 11:59:24AM -0700, Rick Moen wrote:
> Quoting MB (sparkynine at yahoo.com):
>
> > Every little bit of security/obsfucation helps.
>
> Don't forget to make /etc/issue and /etc/issue.net claim that you're
> running ITS on SuperNintendo. _Somebody_ might be fooled.
>
> Putting lampshades on top of your servers could be just the protection you
> need, too.
>
> > Just changing the SSH port probably removes 90% of the threats with 10%
> > of the effort.
>
> It certainly does win in the "easier than thinking" department.
This seems a /bit/ harsh. And MB does make a valid point that the ROI on
simply shifting the ports is somewhat impressive.
But I agree that it's a poor substitute for truly improving security.
I'm not against changing the port, as it does hide the service's
existence, but it ought to at least be coupled with and is certainly no
replacement for ensuring that you are running a properly configured and
up-to-date service. Sadly, it seems likely that a support staff unwise
enough not to announce the move beforehand (thus creating a serious
support issue for themselves), is unlikely to take it any further than
the port move.
I think a good analogy for changing the port number to something
nonstandard might be writing a "secret" message using a Caesar-style
cipher. It /does/ provide some security. Someone reading through several
messages might be discouraged from bothering with your non-plaintext
message, and go for lower-hanging fruit (unfortunately, this seems to be
the only goal in too many people's security models), but anyone with the
smallest incentive to read your particular message (or, who is perhaps
intrigued by the fact that it's not plaintext in the first place) will
discover its content quite quickly. No one employing it should deceive
themselves into thinking that their communiqué is confidential.
Using a simple cipher also gives a decent return/investment ratio. But
that should not distract one from the fact that the return itself may
not be sufficient for one's needs.
--
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer...
http://micah.cowan.name/
More information about the vox-tech
mailing list