Bah, it's a minor security feature too - no harm in avoiding a whole swathe of automated attacks - providing this kind of measure doesn't give you any admin overhead I think "additional security through a little obscurity" is under-rated.
-
-
Replying to @SonOfSunTzu @quentynblog and
If you are already following good security practices (eg. using keypair authentication), then moving to a different port will accomplish exactly nothing in terms of security. No, it isn't even a minor security feature.
2 replies 0 retweets 0 likes -
Replying to @joepie91 @SonOfSunTzu and
(And if you *aren't* following good security practices, then *at best* it delays the inevitable moment that your box gets popped by a few days.)
1 reply 0 retweets 0 likes -
Replying to @joepie91 @quentynblog and
Good security practices such as keypair authentication generally help, but there's an issue with the SSH daemon itself, you will avoid any scattergun attacks by being on a non-standard port. Also your threat model assumes a determined attacker, which isn't always the case.
1 reply 0 retweets 0 likes -
Replying to @SonOfSunTzu @quentynblog and
No, you won't. SSH scans haven't been limited to port 22 for a few years now, so you'll still get hit by automated scans; just less of them.
2 replies 0 retweets 0 likes -
-
Replying to @cybergibbons @SonOfSunTzu and
But "a lot less" doesn't matter if compromise is still inevitable, that's my point. Whether it takes 5 days or 10 days, you're still pwnt.
2 replies 0 retweets 0 likes -
Replying to @joepie91 @SonOfSunTzu and
I don't understand why. You would need my private key and then further priv esc for that to happen.
1 reply 0 retweets 1 like -
Replying to @cybergibbons @SonOfSunTzu and
I'm assuming an improperly secured system, eg. using a trivially bruteforceable password. If you're using a strong randomly generated password or keypair authentication, then the entire discussion is moot because your system won't be pwned on port 22 either.
1 reply 0 retweets 0 likes -
Replying to @joepie91 @cybergibbons and
Either way, moving your SSHd to a different port does not produce any meaningful difference in susceptibility to attacks. It's rearranging the deck chairs on the Titanic.
2 replies 0 retweets 0 likes
Lets say an SSHd 0day comes out tomorrow. All the vuln scanners will be targeting port 22 at first, because that's where they're guaranteed to get hits. Sure, the more obscure ports will get scanned eventually, but that at least gives you more time to patch.
-
-
Replying to @David3141593 @cybergibbons and
Given how fast it is to do an address-space-wide scan on all ports nowadays, the time difference is absolutely not going to matter.
1 reply 0 retweets 0 likes -
Replying to @joepie91 @David3141593 and
Again, not sure if I agree. I have left services running on non-standard ports and they went months between being fingerprinted. Port scans might be easy and quick. Fingerprinting every service, not really.
0 replies 0 retweets 0 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.