On Wed 07 Dec 2016 at 13:49:34 -0500, Greg Wooledge wrote: > On Wed, Dec 07, 2016 at 01:23:23PM -0500, Henning Follmann wrote: > > Also changing the port to a nonstandard port is not a safety measure. Not a > > reasonable at least. Unless there is some sane reason (like the network > > operator prevents using port 22) keep it! > > I disagree with this. Changing the port at least decreases the number > of brute force attacks against you, which saves resources (bandwidth, CPU) > that are otherwise wasted by the attackers.
I agree with this. Having ssh on a port other than 22 does decrease the *visibility* of probes to port 22. A user would in all probabilty see nothing and would have a warm, fuzzy feeling. Job done; nothing to see. However, while it might save resources it does not make the ssh service any safer. Henning Follmann is correct, it is not a safety measure. To be a safety measure it would have to guard against something which is inherently defective in ssh itself. There is no such known defect in ssh which makes random password probing more likely to succeed than non-random probing. > I understand that you mean "it will not stop a dedicated professional > attacker who really, really wants to get into your computer". And that's > true. But it does help against the random script kiddies and attacks of > opportunity. Whatever you understand, Henning Follmann said nothing of the sort. You have put words into his mouth and introduced buzzwords like "dedicated", "professional" and "attacker". You give the impression that someone who really wants to get into your computer via ssh can do so. That is not correct. There is no way *anyone* can get into your ssh account protected by a good password. There is no hole in ssh; it does not exist. Random script kiddy attacks are of absolutely no consequence. Annoying perhaps, but no threat whatsoever. In terms of security, changing the port number for ssh does bugger all. -- Brian.