[Ach] Feedback to applied-crypto-hardening.pdf - Webservers - OpenSSH

Alice Wonder alice at librelamp.com
Sat Dec 23 14:01:44 CET 2017

On 12/23/2017 03:19 AM, Torge Riedel wrote:
> Am 22.12.2017 um 14:47 schrieb Sam Bull:
>> I was also under the impression that these reserved ports were better
>> protected
>> by the OS, changing to a non-standard port could actually result in
>> reducing
>> security.
>> A very quick Google seems to agree with what I remember, e.g.
>> https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
>> Leaving it on the default port ensures the OS will be doing everything
>> it can to
>> protect it. Changing it might reduce the number of random brute force
>> attempts
>> (but these are not going to succeed if you've secured your system
>> anyway), but
>> might make your server more vulnerable to an actual targeted attack
>> (which is
>> significantly more likely to succeed).
> Thanks, good point. Never thought in that way about it.
> I will change back to standard port and see what. Since I followed the
> nice guide, my server should be protected.

Standard port does not increase security over a custom.

You can only trust an SSH connection if the fingerprint matches what 
your client already trusts.

A fake SSH server running on a high number port will not be able to 
produce the same fingerprint unless it has access to the real private 
key in which case it is game over anyway.

The port it runs on neither increases or decreases the security of the 
daemon, it's the security of the private key that matters, and the 
server fingerprint is what you need to examine when determining if your 
connection is valid or not.

When the fingerprint changes, users need to verify the change is valid 
before blindly trusting the new fingerprint regardless of the port.

More information about the Ach mailing list