Skip to main content

Should I change the default SSH port number?

More
15 years 10 months ago #28992 by skepticals
I have heard thoughts before regarding the changing of default port numbers.

Do you think it makes a differece? Would this fool a program such as Nmap? Is it worth the time to change them?

What are your thoughts?
More
15 years 10 months ago #29002 by S0lo
Not sure I got what your aiming at skepticals. Do you want to change the SSH port number in an SSH server to hide it from scanners or intruders? If so yes it could help if you choose a rather unknown port number. But it will probably not stop scanners that scan all possible ports. Still it's not a bad idea to prevent the novice intruder.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
15 years 10 months ago #29004 by skepticals
I will try to be more clear.

Overall, is it worth it to change default port numbers? If someone scans all ports with a port scanner, would if find SSH running on a non-standard port?

Obviously, it would stop people from trying to go directly to the SSH default port, but it wouldn't do anything against an all port scan.

Do most people change their ports?
More
15 years 10 months ago #29009 by S0lo
Yes, I assume it can help. An all ports scanner can know if the port is open or not via a SYN scan. But it would not be obvious for the scanner which service is run on the port if you use a none default one. So if you use a port say 80 for ssh, the scanner might think it's a web service and try attacking/exploiting holes related (which will obviously not work). The scanner needs to do some extra work to find out that the service your running is SSH.

So I think it's a good idea, I might be wrong though. I haven't seen many admins do it. Or you might argue that I don't know many admins ;)

Wholly!!, I just wrecked my syslink wireless repeater while doing a scan on it with nmap. Guess it was too aggressive :o.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
15 years 10 months ago #29021 by sose
security is about stratifying defense, make it difficult for them to break in , when they break in make it difficult for them to move around.
shut your door you know , then bolt it, if possible with a laser alarm. heee!


sose

The operating system is thesame where ever you go
More
15 years 10 months ago #29037 by Smurf
Its going to depend on who is attacking. Proper attackers it would not matter what the port number is as they will have tools within their arsenal that will quite easily determine what services is running on it. There are a few techniques used, the most common is to look at the banner information that is returned. If you telnet to most mail servers on port 25, you will see a banner returned which usually indicates the exact mail server that is running. This can help identify the operating system that the mail server is hosting along with the version of the mailserver software. Once this information is gained, you start looking at known vulnerabilities on these versions and try to exploit them in a hope that noone has patched them.

Also a load of tools such as Nmap, xprobe, xprobe2, etc... can be used to fingerprint operating systems just by monitoring the behavour of scans to them. For example, if you did a port scan with specific TCP flags set, certain operating systems respond differently from others and by sending combinations of these scans, you can sometimes quite accurately identify the operating systems running on servers, firewalls, etc... by the responses.

I would say to move the ports is good to stop people messing about but proper attackers wouldn't really be fooled by this. Its good if you can have firewalls, that can automatically block port scans to stop this (i.e. some firewalls, you can specify a threashold and if a port scan hits this, then it will automatically drop all other traffic for a set period of time, even legitimate traffic)

TTFN

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.171 seconds