[conspire] Why Bother to Use Other Than Well Known Ports?

Tony Godshall togo at of.net
Mon Dec 4 14:41:42 PST 2006 

Hi all.

Just my 2c:

Nothing wrong with a layer of obscurity as long as you have good solid
open-source code underneath.  It can buy you time.

I put ssh on odd ports myself, both for the reasons Mark and Rick
mention, and also because I imagine a scenario where a bunch of
script-kiddies get ahold of an actual ssh exploit and start attacking
every ip address in sight.  They aren't going to be patient enough to
do full port-scans, generally, they'll just look for port 22 on every
ip address in the world.  It is a layer of security-by-obscurity,
which is of course not as good as proper peer-reviewed security, but
it is an additional layer that'll probably buy me some time (I don't
always hear about these things right away).

Plus, I have one ip address and multiple servers behind it, so I have
port-forwarding on my cheapo linksys router and use ssh with the Port
and HostKeyAlias options in ~/.ssh/config, where Port is unique per
host.

Best Regards
Tony-now-in-the-sili-valley-Godshall



On 12/1/06, Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Mark Weisler (mark at weisler-saratoga-ca.us):
>
> > Hi All,
> > I periodically use nmap to examine servers I administer and I am wondering:
> > Why bother to use other than well known ports when setting up services such
> > as mail, ssh, Web, etc.?
>
> Two reasons come to mind:
>
> 1.  Some people think it's worthwhile to hide from automated attacks by
> moving some network services to unexpected ports.  This leads to a long
> ritualised exchange where someone says "That's security through
> obscurity, and worthless", someone else says "It's worthwhile if it cuts
> the statistical incidence of attacks", blah blah blah for several days
> of back and forth.
>
> 2.  There are often pragmatic reasons for making a service be reachable
> on _additional_ ports alongside the traditional ones.  E.g., I have sshd
> answering on 22 (traditional), plus 23 (normally telnetd), and 8080.
>
> 8080 is for the benefit of one of my users in the UK, who's obliged to
> ssh in from such an inanely configured firewall that he's not allowed to
> connect to normal ssh/telnet ports at all.  23 is additional insurance
> along the same lines, and was available because I don't run a telnetd.
>
> (FYI:  There are perfectly fine telnetd setups with Kerberos or SSL.)
>
>
>
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire
>


-- 
--
Tony Godshall (g)

More information about the conspire mailing list