New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I never said it was security. I said it will not impact you security as long as you kept the port bellow 1024.
I agree that against targeted attacks is obscurity not much help.
@ MCHPhil if the ssh port at the default location works for you, then great!
For me, changing the default port works best.
No need to be an a** and insult people over it.
i did several things including changing the default port and to be honest , it doesn't help much. now i'm running fail2ban, using ssh keys and only allow ssh login from trusted ip zone.
cheers
MCHPhil hasn't insulted anyone. He is trying to provide that we should not change our SSH port and call it "securing". We are trying the debate logically. You say that changing the port works for you. Why?
How does changing a port make you server "certain to remain... safe and unharmed" (Webster's definition of security)?
.
Sorry if you feel I have insulted you, I am a firm believer in knowledge. Knowledge is power and spreading uncertain knowledge is not right. What I say is highlighted in many security publications, once again, don't take my word. Look it up.
If you have locked SSH by IP (iptables) and are using SSH keys instead of password, what's the point of using a different port? Once again, as I suggested if you still feel the need. Use port knocking. Then 22 is not listening unless you hit 1029 and then 1543 and then 54003, then 22 is open for 3 seconds.
Once you are using keys, who cares about the bruteforces? Install fail2ban if you're paranoid.
You should never need to change SSH's port.
wat? y u edit post???
:P
^^ Because this was going nowhere.
I would never change my ssh port. SSH keys ftw.
Personally I change my SSH port to 143
Some v useful stuff here. Thanks
Using keys moves the issue to your own local system. If someone else get (physically) access to the storage media where the keys are stored, you could assume the VPS is compromised.
Keep also in mind that storage media have an ended life. It could be dead at tomorrow already.
What if you cannot use SSH keys, cannot whitelist IPs, and do not know who and from where users are logging in (such as a shared environment)? I still think that changing your SSH port is the number one method of preventing automated attacks where you are not specifically targeted.
What is one possible negative impact that can happen when changing your SSH port?
Changing your SSH port is not like changing all the doors in your house with walls, it's like changing all of the doors in your house to look like walls from the outside.
I just noticed this thread is for VPS security so my post is a little less valid. But I'll continue using a non-default port for SSH and sleep better at night because of it.
Amen. I have been using a non-default port for years now and haven't had a single issue. The first thing I do when receiving a new server is to change the default port. Of course changing your default port shouldn't be the only security measures you should take.
If your Git client does not allow non-standard ports. Happened to a friend, he had to switch his server to use defaults.
Most people backup their keys on something like a flash drive than can be readily purchased at most stores for under $10. I personally back them up onto my laptop and an external hard drive.
Security by obscurity isn't something anybody should be following. I don't know why people keep repeating this, but it's not security, and it doesn't secure anything. Yes, I know it's not "the only step," but if you're going to post, please post the other steps.
Personally, take Phil's recommendation. It takes 1 second to find your new SSH port using nmap, it takes even less time to telnet to it and find out that it's an SSH daemon.
I always protect my SSH private keys with a strong passphrase, and back them up in multiple places (but not in the cloud!).
For advanced users, port scanning can be blocked using IPTables. Here are some other IPTables rules that I use (ignore the Asterisk section).
Not if iptables are configured properly.
Any words of wisdom on the maximum length of passwords
http://www.passwordmeter.com/
https://howsecureismypassword.net/
Sorry if this is naive, but I don't understand your suggestion to use a series of different ports after repetitively telling people not to use a single different port. Isn't port knocking a more complex and extended way of using different ports? How is using three obscure ports rather than one not an example of "security by obscurity"?
I also don't understand your fixation on '22'. If you've set out to use port knocking, why invariably end up on that number?
Actually actively scanning your logs is a must.
I think ppl changing the port number gives them a warm fuzzy feeling!
Because all 3 ports appear to be closed, and the default SSH and SFTP port (22) would appear to be closed as well. It's not security by obscurity because from an external point of view, there aren't any open ports to attempt to connect to / brute force. In addition, the combination of 3 ports (1-65535) would be very difficult to brute force in correct sequence. The 3 ports configured appear closed, and must have connection attempts done in the correct sequence. This makes for a massive list of combinations (roughly 65535^3 = ~281 trillion) and makes BF attempts impractical. Even if this combination of ports were to be guessed/brute-forced, other security measures are still in place (key auth) and it'll still be very hard for an attacker to successfully guess log-in credentials.
It's an extra layer of security, not obscurity.
Then we have to go inside through the window? :O
Indeed, that's pretty much what defines all security, various layers of complexity that reduce the chance of someone unauthorised gaining access. SSH key and whitelisting IP is enough for me, seems like there's enough complexity there in itself. 2^160 at least. Over a network, pretty damn hard to brute force.
Yeah, I understand that. Wasn't looking for an expository/technical answer, I was saying I didn't understand (conceptually) how port knocking is not a form of 'security by obscurity'.
In what sense is an extra layer of security not an extra layer of obscurity? Requiring three different/unpredictable ports prior to 22 is exactly an extra layer of obscurity.
Right, and that's because they are obscured from external points of view...
Wikipedia has a rather good, unbiased page on the differences.
Ironically this is what many Linux users do when they don't scan their systems for viruses - saying that there is a rarity of viruses for Linux and that only Windows need worry.
You can change SSH to whatever port you like, but the port will still have to be open in the firewall. With Phil's suggestion, all ports appear closed from an external point of view. While I understand that you think this is simply obscuring the ports, the phrase, "Security through obscurity," actually implies, in my opinion, "Security solely through obscurity." Port knocking does not solely rely on obscurity, while changing the SSH port does, because that layer is easily vulnerable to becoming discovered (attacker discovers port number). As mentioned by another poster, security is about adding layers, and if you want to generalize, yes these layers consist of obscurity.