[ Date Index ]
[ Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Re: [LUG] Why you should not have ssh on port 22.
- To: list@xxxxxxxxxxxxx
- Subject: Re: [LUG] Why you should not have ssh on port 22.
- From: Martijn Grooten <martijn@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 10 Feb 2015 19:45:44 +0000
- Content-disposition: inline
- Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1412586362; h=Sender:Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:In-Reply-To:MIME-Version:References:Message-ID:To:From:Date; bh=y1Fjsse/pz3Lpl3j53otQbqVVYDuSd1Hm2nP1YCl+ls=; b=c3EHQGTYlYq4tw0fB5fi+cgI+S+bVsdPtziLPtoOXbrtmiUUS/g6X5BeU4/wAp7i3t28esvan9I90XjoGjtmwgpquU/lqefWQ+vJHI9hULwRrepCp0aTeSJy8grMm8NSoVgP6D+lDCIlpMDNy8AYqqZdr2MSLyxr7mun6NhUNn4=;
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lapsedordinary.net; s=mail; t=1423597544; bh=RyjA5QpZMXf5gX8oWY20spooH+PMWC1BJwcm2I6T0hc=; h=Date:From:To:Subject:Message-ID:References:MIME-Version: Content-Type:In-Reply-To; b=MJv+KiqOl3omdEhu8F65XQcgb2eW7FhbRVsOGvr5zVxBLblpNVso3Pxqk8spevw5c pinx5NSpfN3ZzSiGm/5dPLjVe76pEDdqQoS7ZXOJKDpd4N+oE838yjgBTI7+cCEYKo t9UZkNEy2RazutUf78b2ccZ6eAxRVAJo4x3ZtJtE=
On Tue, Feb 10, 2015 at 09:28:20PM +0300, simon@xxxxxxxxxxxxxx wrote:
> Root port issue is a bit of a red herring.
>
> You identify SSH servers by the server fingerprint, if this has changed either
> it's been reinstalled or hacked. This applies whichever port it runs on.
Indeed. SSH's private keys are readable by root only, so if an attacker
has a) access to the machine running sshd and b) is able to stop/crash
the sshd daemon, they still can't intercept traffic without raising
serious suspicion.
As others have said before, security by obscurity has its time and
place, but running sshd on a non-standard port is rarely ever a good
idea.
Martijn.
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq
