l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
December 2: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2006 Jun 12 12:28

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Why change default ssh port?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Why change default ssh port?



On Mon, Jun 12, 2006 at 11:59:24AM -0700, Rick Moen wrote:
> Quoting MB (sparkynine@yahoo.com):
> 
> > Every little bit of security/obsfucation helps.
> 
> Don't forget to make /etc/issue and /etc/issue.net claim that you're
> running ITS on SuperNintendo.  _Somebody_ might be fooled.
> 
> Putting lampshades on top of your servers could be just the protection you
> need, too.
> 
> > Just changing the SSH port probably removes 90% of the threats with 10% 
> > of the effort.
> 
> It certainly does win in the "easier than thinking" department.

This seems a /bit/ harsh. And MB does make a valid point that the ROI on
simply shifting the ports is somewhat impressive.

But I agree that it's a poor substitute for truly improving security.
I'm not against changing the port, as it does hide the service's
existence, but it ought to at least be coupled with and is certainly no
replacement for ensuring that you are running a properly configured and
up-to-date service. Sadly, it seems likely that a support staff unwise
enough not to announce the move beforehand (thus creating a serious
support issue for themselves), is unlikely to take it any further than
the port move.

I think a good analogy for changing the port number to something
nonstandard might be writing a "secret" message using a Caesar-style
cipher. It /does/ provide some security. Someone reading through several
messages might be discouraged from bothering with your non-plaintext
message, and go for lower-hanging fruit (unfortunately, this seems to be
the only goal in too many people's security models), but anyone with the
smallest incentive to read your particular message (or, who is perhaps
intrigued by the fact that it's not plaintext in the first place) will
discover its content quite quickly. No one employing it should deceive
themselves into thinking that their communiqué is confidential.

Using a simple cipher also gives a decent return/investment ratio. But
that should not distract one from the fact that the return itself may
not be sufficient for one's needs.

-- 
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer...
http://micah.cowan.name/
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.