[conspire] Why Bother to Use Other Than Well Known Ports?
togo at of.net
Mon Dec 4 14:41:42 PST 2006
Just my 2c:
Nothing wrong with a layer of obscurity as long as you have good solid
open-source code underneath. It can buy you time.
I put ssh on odd ports myself, both for the reasons Mark and Rick
mention, and also because I imagine a scenario where a bunch of
script-kiddies get ahold of an actual ssh exploit and start attacking
every ip address in sight. They aren't going to be patient enough to
do full port-scans, generally, they'll just look for port 22 on every
ip address in the world. It is a layer of security-by-obscurity,
which is of course not as good as proper peer-reviewed security, but
it is an additional layer that'll probably buy me some time (I don't
always hear about these things right away).
Plus, I have one ip address and multiple servers behind it, so I have
port-forwarding on my cheapo linksys router and use ssh with the Port
and HostKeyAlias options in ~/.ssh/config, where Port is unique per
On 12/1/06, Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Mark Weisler (mark at weisler-saratoga-ca.us):
> > Hi All,
> > I periodically use nmap to examine servers I administer and I am wondering:
> > Why bother to use other than well known ports when setting up services such
> > as mail, ssh, Web, etc.?
> Two reasons come to mind:
> 1. Some people think it's worthwhile to hide from automated attacks by
> moving some network services to unexpected ports. This leads to a long
> ritualised exchange where someone says "That's security through
> obscurity, and worthless", someone else says "It's worthwhile if it cuts
> the statistical incidence of attacks", blah blah blah for several days
> of back and forth.
> 2. There are often pragmatic reasons for making a service be reachable
> on _additional_ ports alongside the traditional ones. E.g., I have sshd
> answering on 22 (traditional), plus 23 (normally telnetd), and 8080.
> 8080 is for the benefit of one of my users in the UK, who's obliged to
> ssh in from such an inanely configured firewall that he's not allowed to
> connect to normal ssh/telnet ports at all. 23 is additional insurance
> along the same lines, and was available because I don't run a telnetd.
> (FYI: There are perfectly fine telnetd setups with Kerberos or SSL.)
> conspire mailing list
> conspire at linuxmafia.com
Tony Godshall (g)
More information about the conspire