[Ach] Feedback to applied-crypto-hardening.pdf - Webservers - OpenSSH
Sam Bull
ucxwps at sambull.org
Fri Dec 22 14:47:19 CET 2017
On Fri, 2017-12-22 at 13:32 +0100, Sebastian wrote:
> On 12/22/2017 01:02 PM, Alice Wonder wrote:
> > On 12/22/2017 03:57 AM, Torge Riedel wrote:
> > > Maybe there is one hint to offer in the guide: Change the port of sshd
> > > to somewhat else than 22. I observed massive reduction of sshd attacks
> > > on my servers after changing the port.
> > Indeed, that's fairly standard. Wasn't aware it wasn't in the guide.
> Because it's not cryptography.
I was also under the impression that these reserved ports were better protected
by the OS, changing to a non-standard port could actually result in reducing
security.
A very quick Google seems to agree with what I remember, e.g.
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
Leaving it on the default port ensures the OS will be doing everything it can to
protect it. Changing it might reduce the number of random brute force attempts
(but these are not going to succeed if you've secured your system anyway), but
might make your server more vulnerable to an actual targeted attack (which is
significantly more likely to succeed).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.cert.at/pipermail/ach/attachments/20171222/01cae9fc/attachment.sig>
More information about the Ach
mailing list