On 12/23/2017 03:19 AM, Torge Riedel wrote:
Am 22.12.2017 um 14:47 schrieb Sam Bull:
I was also under the impression that these reserved ports were better
protected
by the OS, changing to a non-standard port could actually result in
reducing
security.
A very quick Google seems to agree with what I remember, e.g.
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
Leaving it on the default port ensures the OS will be doing everything
it can to
protect it. Changing it might reduce the number of random brute force
attempts
(but these are not going to succeed if you've secured your system
anyway), but
might make your server more vulnerable to an actual targeted attack
(which is
significantly more likely to succeed).
Thanks, good point. Never thought in that way about it.
I will change back to standard port and see what. Since I followed the
nice guide, my server should be protected.
Standard port does not increase security over a custom.
You can only trust an SSH connection if the fingerprint matches what
your client already trusts.
A fake SSH server running on a high number port will not be able to
produce the same fingerprint unless it has access to the real private
key in which case it is game over anyway.
The port it runs on neither increases or decreases the security of the
daemon, it's the security of the private key that matters, and the
server fingerprint is what you need to examine when determining if your
connection is valid or not.
When the fingerprint changes, users need to verify the change is valid
before blindly trusting the new fingerprint regardless of the port.
_______________________________________________
Ach mailing list
[email protected]
https://lists.cert.at/cgi-bin/mailman/listinfo/ach
