For years, on security forums and mailing lists, if you ever dared to suggest changing SSH’s default port (TCP 22) the “security by obscurity” crowd would come out of the woodwork and nail your ass to the Cross of Righteousness for having the unmitigated gall to even dare utter such heretical nonsense. Unfortunately for these dogmatic True Believers, changing the ssh daemon’s default listening port is such an incredibly effective method for avoiding ssh scans and brute force password attacks that it’s starting to show up in HOWTO security articles as a method for hardening your system. For example, see this article at Linux Magazine.But the Port 22 Crowd will not leave well enough alone. Although they haven’t abandoned the “security by obscurity” mantra completely, they’re now using the following argument with increasing frequency: NEVER CHANGE YOUR SSH PORT! If an exploit comes out that can crash SSH locally, a local unprivileged user on your system could crash SSH and start their own daemon on the SSH port > 1024 and capture your usernames and passwords. If you want SSH on a different port, do this with firewall rules.
Note that ALL CAPS is required when raising this alarm.Also note that if you require users to connect with SSH in the first place, it’s not going to do them a helluva lot of good to crash SSH. If you have users who actually sit down at the keyboard of the physical system, that’s another problem entirely. Why bother with crashing SSH when they can slip a bootable CD into the tray and bounce the box? Read more: Hinky's Proxy obesession
Note that ALL CAPS is required when raising this alarm.Also note that if you require users to connect with SSH in the first place, it’s not going to do them a helluva lot of good to crash SSH. If you have users who actually sit down at the keyboard of the physical system, that’s another problem entirely. Why bother with crashing SSH when they can slip a bootable CD into the tray and bounce the box? Read more: Hinky's Proxy obesession
Posts
0 comments:
Post a Comment