[Ach] Feedback to applied-crypto-hardening.pdf - Webservers - OpenSSH

Alice Wonder alice at librelamp.com
Fri Dec 22 15:20:48 CET 2017

On 12/22/2017 05:47 AM, Sam Bull wrote:
> On Fri, 2017-12-22 at 13:32 +0100, Sebastian wrote:
>> On 12/22/2017 01:02 PM, Alice Wonder wrote:
>>> On 12/22/2017 03:57 AM, Torge Riedel wrote:
>>>> Maybe there is one hint to offer in the guide: Change the port of sshd
>>>> to somewhat else than 22. I observed massive reduction of sshd attacks
>>>> on my servers after changing the port.
>>> Indeed, that's fairly standard. Wasn't aware it wasn't in the guide.
>> Because it's not cryptography.
> I was also under the impression that these reserved ports were better protected
> by the OS, changing to a non-standard port could actually result in reducing
> security.
> A very quick Google seems to agree with what I remember, e.g.
> https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
> Leaving it on the default port ensures the OS will be doing everything it can to
> protect it. Changing it might reduce the number of random brute force attempts
> (but these are not going to succeed if you've secured your system anyway), but
> might make your server more vulnerable to an actual targeted attack (which is
> significantly more likely to succeed).

Only thing OS does to protect it is run it on a port below 1024.

In the event the sshd daemon crashed and a user on the system started a 
fake service, the fingerprint wouldn't match and users/apps trying to 
connect would be alerted.

More information about the Ach mailing list