[vox-tech] Why change default ssh port?

[Rick Moen]

Please pardon my sudden flurry of posts on this subject, but it's
something I've been pondering about recently.  Ryan, you'll probably
have noticed that this and similar topics tend to be a see-saw affair
between people saying 'Do this; it'll result in fewer attacks being
able to find you" and others (like me) replying "That's not helpful."

Part of the reason the discussion tends towards the interminable is
that opponents never quite articulate their objection very well.  I'm 
as guilty of this as anyone:  I tend to make a crusty jibe about hiding, 
and then not elaborate.  Meanwhile, proponents correctly point out that
their hiding strategies in various fields of computing (non-standard 
ports reducing dictionary attacks, e-mail address munging cutting down
spammer address harvesting, etc.) objectively reduces attack volume.

So, let me attempt to figure out and articulate why those tactics tend
to trigger a borderline-instinctive "reject" impulse from many sysadmins:

1.  Solving the Wrong Problem.  A system with a publicly exposed
vulnerability is no less vulnerable if you reduce attack volume by 90%.
The real problem is the vulnerability.  Equally, if you're being
overwhelmed by attack statistics and afraid of missing something
important, then the real problem _there_ isn't attack volume per se, but
rather poorly configured reporting.  Also, focussing on the wrong problem
_can_ (but doesn't necessarily) create an additional, all-new problem:

2.  False Assurance.  Many an admin, over the years, has fooled
himself/herself into thinking "My system [/service, whatever] is too
obscure for the bad guys to bother with."  Hiding strategies tend to 
produce their own variant of that mental bad habit:  You can easily
think "I don't have to hurry to reduce that risk.  I'm low-profile,
these days."  It's much healthier if you fix the underlying risks.  If
you do, then you're worry-free every bit as much on port 22 as on any
other.  

(How do you be worry-free?  Run software that doesn't suck, and
absolutely minimise Internet-facing services:
http://www.ranum.com/security/computer_security/editorials/master-tzu/)

3.  We Were Here First.  Speaking for myself, I'll be damned if I'll
abandon port 22 just because a bunch of cretin kiddies and Russian
mafiosi with automated 'sploit code and dictionary files want to conduct
doorknob-twisting on it.  Likewise, it's beneath my dignity to obscure
my e-mail address just because someone might try to send it adverts for 
dubious investment opportunities.  Do those guys think they're better at
Internet management than the open-source technical community is?   Well,
they're wrong, and they can kiss my shiny Exim rulesets.