BSDHowTo.ch
| How To... | Why not..? | Scripts | Patches | |
Last update: 2021-07-18
Moving services, e.g. SSH, to another TCP port than the default one is security by obscurity. In the short term this prevents attacks. But the attackers will not take long to find out that your service is listening to another port.
The other day I had a short discussion on Twitter about moving SSH to a non-default TCP port in order to prevent attacks. The arguments of the other guy were:
I had the same discussion before with other people. The arguments from these people were more or less the same. That is why I’ve decided to write this post about why moving services to non-default ports does not improve security.
If you try to block all the attackers by hand, this is true. But as a responsible admin of one or more systems you know about the tools you can use to automate this. A popular one is fail2ban, but there are others too. The basic functionality of these tools is to monitor the log files for suspect events and block involved IPs automatically if such events are detected. You can achieve the same by writing a small shell script that scans the log files, extract the IPs and hands them over to the firewall for blocking. Sample script
Obviously, because you have changed the port. But what happens in one day, one week, one month from now? Rather sooner than later the port scanners will detect the new port SSH is listening too. Sure, you will see fewer attacks than before, but most of the attackers are no longer just stupid bots. The amount of attacks doesn’t tell you anything about the quality of the attacks. You might even become a special interest target because it looks like you have something to hide…
Yes, it is. But being common is no guarantee that a recommendation is (still) good advice. Maybe it was good advice at some time in the past. Maybe it was always bad advice, but people spread it anyway. A lot of hits in the search engine you trust is not a guarantee for good advice. You should always check if the advice you want to follow comes from a source you can trust.
This assumption was true in the early days of Internet, when few hosts were connected to it and the users knew each other. These days are long gone. Today the firewalls in companies and public institutions block outgoing traffic as restrictive as incoming one. Usually you can use few services on known ports. Any connections to high ports are usually blocked.
If the required time to scan all 65535 ports would go towards infinity you would be right. But this is by far not the case. There are port scanners active all the time and some of them publish their findings as searchable databases in the web: https://www.shodan.io/
You increase your chance to attract other attackers than stupid bots by moving your service to a different port. Attackers use Google too and know that moving a service to a different port is a common advice. And because it is so quick and easy to do people tend to forget about other security measures, making these systems easy targets. All moving to a different port doesn’t help you if you allow log in as root with the password 12345 on your SSH server!
Yes, there is port knocking. This is a valid option if you have very few users accessing your SSH server. And all of them have to use software that supports port knocking. And there have to be no firewalls blocking any traffic on the ports you choose to use for your knocking pattern. And there have to be a lot of ports in your knocking pattern. Or you have to change it often in order to prevent bots from guessing it. And you have to make sure that the pattern changes from time to time. And you need a way to let your clients know about the new pattern before you can disable the old one. All of that sounds like way more trouble and effort than properly configuring and updating your SSH server. Which will keep you safe and your users happy in the long shot.
Security hurts. Security costs. Either money or comfort, but usually both. If your security action is for free and comfortable it is useless. If you have read this post and think: “This is all complete bullshit!” I ask you to run as many servers on the Internet as you can afford. The more easy targets are available out there the less attacks my systems have to face. Thank you!