$_ BSDHowTo.ch
How To... Why not..? Scripts RSS logo

Why not move SSH (or other services) to another port?

Last update: 2018-08-17

TL;DR

Moving services, e.g. SSH, to another TCP port than the default one is security by obscurity. In the short term this prevents attacks. But the attackers will not take long to find out that your service is listening to another port.

Introduction

The other day I had a short discussion on Twitter about moving SSH to a non-default TCP port in order to prevent attacks. The arguments of the other guy were:

I had the same discussion before with other people. The arguments from these people were more or less the same. That is why I’ve decided to write this post about why moving services to nondefault ports does not improve security.

Too many IPs to block

If you try to block all the attackers by hand, this is true. But as a responsible admin of one or more systems you know about the tools you can use to automate this. A popular one is fail2ban, but there are others too. The basic functionality of these tools is to monitor the logfiles for suspect events and block involved IPs automatically if such events are detected. You can achieve the same by writing a small shell script that scans the logfiles, extract the IPs and hands them over to the firewall for blocking.

Attacks stop immediately

Obviously, because you have changed the port. But what happens in one day, one week, one month from now? Rather sooner than later the port scanners will detect the new port SSH is listening too. Sure, you will see fewer attacks than before, but most of the attackers are no longer just stupid bots. The amount of attacks doesn’t tell you anything about the quality of the attacks. You might even become a special interest target because it looks like you have something to hide…

Moving is a common recomondation

Yes, it is. But being common is no guarantee that a recommondation is (still) good advice. Maybe it was good advice at some time in the past. Maybe it was always bad advice, but people spread it anyway. A lot of hits in the search engine you trust is not a guarantee for good advice. You should always check if the advice you want to follow comes from a source you can trust.

All TCP ports are reachable from everywhere

This assumption was true in the early days of Internet, when few hosts were connected to it and the users knew each other. These days are long gone. Today the firewalls in companies and public institutions block outgoing traffic as restrictive as incomming one. Usually you can use few services on known ports. Any connections to high ports are blocked.

Port scanning takes too long

If the required time to scan all 65535 ports would go towards infinity you would be right. But this is by far not the case. There are port scanners active all the time and some of them publish their findings as searchable databases in the web: https://www.shodan.io/

All attackers are stupid bots

You increae your chance to attract other attackers than stupid bots by moving your service to a different port. Attackers use Google too and know that moving a service to a different port is a common advice. And because it is so quick and easy to do people tend to forget about other security measures, making these systems easy targets. All moving to a different port doesn’t help you if you allow login as root with the password 12345 on your SSH server!

Outro

Security hurts. Security costs. Either money or comfort, but usually both. If your security action is for free and comfortable it is useless. If you have read this post and think: “This is all complete bullshit!” I ask you to run as amny servers on the Internet as you can afford. The more easy targets are available out there the less attacks my systems have to face. Thank you!