05-27-2016, 09:59 PM
Port 22 for SSH - Is it a good or bad idea to use port 22 for SSH?
Awhile ago I read an article explaining why using port 22 for SSH is a bad idea. The article basically explained that people like to use a different port than the standard port 22 for SSH for the sake of security through obscurity. Humans and scripts alike automatically guess that the SSH port is listening on, as the default typically is, port 22. This makes sense; however, there are some pros and cons to all of this, as suggested by a response article that explained using a port besides port 22 for SSH is, in fact, a good idea. I found these two articles intriguing enough to share with the community, so here they are with some added commentary from myself.
People often set their listening port(s) to non-privileged ports since people like to throw their SSH port somewhere totally random, often above port 1024, a non-privileged port (anything that is 1024 or lower is privileged). The article claiming that ports besides port 22 is a bad idea explains that "when we start SSH on port 22, we know for a fact that this is done by root or a root-process since no other user could possibly open that port. But what happens when we move SSH to port 2222? This port can be opened without a privileged account, which means I can write a simple script that listens to port 2222 and mimics SSH in order to capture your passwords. And this can easily be done with simple tools commonly available on every linux system/server. So running SSH on a non-privileged port makes it potentially LESS secure, not MORE. You have no way of knowing if you are talking to the real SSH server or not. This reason, and this reason alone makes it that you should NEVER EVER use a non-privileged port for running your SSH server."
Besides this, other things are brought up; for example, if a 0 day is suddenly released and exploited in the wild, people could attack servers at random with an automated script. These scripts probably won't take the time to scan absolutely every single random IP, so they may just assume that the SSH port is listening on port 22. If we choose to not use port 22 just for this reason, even though it is security through obscurity, it is still very effective. The writer that was defending other ports besides 22 went on to explain an examination of his own, he explains that "just to see what would happen, [he] tried to gather some actual data on this and ran two SSH ports for a few days. The result was something like 5 connections on the non-standard port, compared to tens of thousands on 22. Now imagine there’s a new SSH zero-day out, and ask yourself which config is more likely to get popped."
Besides this, both the articles bring up some other interesting points like port knocking (another interesting infosec-related thing that is worth looking into if you own a server of your own).
An easy solution for pretty much all issues on both sides is to just use a privileged port like 789 to listen for SSH connections on; this port is a privileged port since it is less than 1024, and it is not port 22 - the best of both worlds.
Overall, I found both articles very interesting. I encourage everyone to read them in the order that they are presented in below!
References:
Awhile ago I read an article explaining why using port 22 for SSH is a bad idea. The article basically explained that people like to use a different port than the standard port 22 for SSH for the sake of security through obscurity. Humans and scripts alike automatically guess that the SSH port is listening on, as the default typically is, port 22. This makes sense; however, there are some pros and cons to all of this, as suggested by a response article that explained using a port besides port 22 for SSH is, in fact, a good idea. I found these two articles intriguing enough to share with the community, so here they are with some added commentary from myself.
People often set their listening port(s) to non-privileged ports since people like to throw their SSH port somewhere totally random, often above port 1024, a non-privileged port (anything that is 1024 or lower is privileged). The article claiming that ports besides port 22 is a bad idea explains that "when we start SSH on port 22, we know for a fact that this is done by root or a root-process since no other user could possibly open that port. But what happens when we move SSH to port 2222? This port can be opened without a privileged account, which means I can write a simple script that listens to port 2222 and mimics SSH in order to capture your passwords. And this can easily be done with simple tools commonly available on every linux system/server. So running SSH on a non-privileged port makes it potentially LESS secure, not MORE. You have no way of knowing if you are talking to the real SSH server or not. This reason, and this reason alone makes it that you should NEVER EVER use a non-privileged port for running your SSH server."
Besides this, other things are brought up; for example, if a 0 day is suddenly released and exploited in the wild, people could attack servers at random with an automated script. These scripts probably won't take the time to scan absolutely every single random IP, so they may just assume that the SSH port is listening on port 22. If we choose to not use port 22 just for this reason, even though it is security through obscurity, it is still very effective. The writer that was defending other ports besides 22 went on to explain an examination of his own, he explains that "just to see what would happen, [he] tried to gather some actual data on this and ran two SSH ports for a few days. The result was something like 5 connections on the non-standard port, compared to tens of thousands on 22. Now imagine there’s a new SSH zero-day out, and ask yourself which config is more likely to get popped."
Besides this, both the articles bring up some other interesting points like port knocking (another interesting infosec-related thing that is worth looking into if you own a server of your own).
An easy solution for pretty much all issues on both sides is to just use a privileged port like 789 to listen for SSH connections on; this port is a privileged port since it is less than 1024, and it is not port 22 - the best of both worlds.
Overall, I found both articles very interesting. I encourage everyone to read them in the order that they are presented in below!
References:
- Why putting SSH on another port than 22 is bad idea: https://www.adayinthelifeof.nl/2012/03/1...-bad-idea/
- Why Putting SSH On Another Port is a Good Idea: https://danielmiessler.com/blog/putting-...good-idea/
