[vox] Re: security dilemma

Orson Jones orsonjones at runbox.com
Fri Sep 22 12:16:34 PDT 2006 

> >Someone else mentioned it also, but I will say it
> >again, using a 
> >different port helps reduce the ammount of automated
> >attacks that hit your 
> >system. I use both port 22, and a different higher
> >number port. I 
> >firewall the use of port 22 to a smaller set of
> >addresses and leave the higher 
> >port open to the world. 
> 
> 1. How can you force an incoming SSH connection to
> switch ports like that?

On the client side, you have to tell your ssh utility to point to a different port. The command line utilities I use have an option to use "-p <port>" or "-P <port>" to select a nonstandard port. The server also has to be configured to listen to that port. In the config file for openssh you change (or add) the line "Port XXXX" to tell it to listen to that port.
 
> 2. Wouldn't a port scanner easily detect the
> higher-numbered port? I thought that's what scanners
> do; find ports that are open because they have
> services listening on them. I don't understand how
> having 2 ports open through the firewall instead of
> one is helpful from a security standpoint. Maybe I'm
> missing something.

Yes, a port scanner could detect a ssh server operating on a nonstandard port, but it has to take time to scan for the port first. After it has found the port, it then could proceed to guess passwords. The reason to do this is to add another step that they hacker has to take to get in. It is just another layer in your security blanket. Plus, it is easy to detect portscans. You could then setup something that blocks that ip at the firewall before it starts guessing passwords.

Having 2 ports open does increase your vulnerability slightly. The reason I do it is for convenience. I use my firewall to only allow access to port 22 from 2-3 ip addresses. This does not decrease my security by enough for me to care. I put ssh on an additional nonstandard port that is available to the entire internet. Although it is possible for someone to portscan me and find it, I have yet to have dictionary attacks hit my ssh service. This allows me to connect from a machine that isn't one of my 2-3 usual ones. (which I do from time to time.) If you never need to connect from a machine other than the one you mentioned, setting up a second port wouldn't be useful for you.

Orson Jones

More information about the vox mailing list