Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Change the default SSH server port on 10.3' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Change the default SSH server port on 10.3
Authored by: twenex on Jun 12, '04 02:27:22AM

This is a pretty idiotic idea. It breaks other things (as I think others have pointed out). Scanners can easily detect the ssh protocol on other ports, and lots of things break. Ssh (the openssh version) is well updated when ever problems are detected, so the risk/reward on this is really bad.

There's *so* many other places to concentrate to remove potential vulnerabilities with better reward that spending a second on this hint is worthless.

Good grief. Why don't you advise people to change the port of their webservers too while you're at it.



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: valkraider on Jun 12, '04 07:45:47PM
This is a pretty idiotic idea. It breaks other things (as I think others have pointed out).

Like what? People keep saying how terrible this is, without any information. So far, this has not borken ONE SINGLE THING that I use.

Scanners can easily detect the ssh protocol on other ports

No one ever claimed they couldn't. But at least now they HAVE to use a scanner, eh? As opposed to just firing up any SSH client to my server address (which has a domain associated with it).

and lots of things break.

Like what?

There's *so* many other places to concentrate to remove potential vulnerabilities with better reward that spending a second on this hint is worthless.

Did you even read the hint? SOME PEOPLE CAN'T USE PORT 22. Thus, if I want to use SSH into my network from locations where port 22 is blocked, I HAVE TO CHANGE THE PORT, don't I?

Good grief. Why don't you advise people to change the port of their webservers too while you're at it.

This is a completely different concept. SSH is generally access that ONLY USERS OF THE SPECIFIC MACHINE will use - something that users can generally control, and something that the general public has no need to use on my machine - additionally SSH getting hacked has a MUCH greater impact on the overall machine than Apache getting hacked... In contrast My Web Server is for general public access - with no authentication or restriction.

But just for grins, you CAN easily change your web server port and break nothing - as long as users know to put :port after the server name. In fact, most all of the web systems I work with don't use port 80 (WebSphere, WebLogic, SilverStream, etc etc etc - they all default to other ports).

But you obviously know more than IBM, BEA, and Novell....

[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: alvarez on Jun 13, '04 03:05:05PM

Yes! I don't care about the security or upgradability aspects of this hint. But I am currently consulting for a merry little financial management and advisory company that firewalls SSH, VPN, Outlook Exchange servers, various instant messenger services, and just about anything that allows me to be more productive on site. I was trying to determine why changing /private/etc/sshd_config was not working just the other day, and this hint comes timely.



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: mweissen on Jun 14, '04 09:39:03AM

This is a pretty idiotic idea. It breaks other things (as I think others have pointed out).

Like what? People keep saying how terrible this is, without any information. So far, this has not borken ONE SINGLE THING that I use.

and lots of things break.

Like what?

Like the ssh client. OK? And all tools that depend on it.

Just like the server, the client uses the POSIX API to get the port number from the /etc/services file. Since pretty much everybody uses the standard port 22, and not port 8855, the client won't be able to connect anywhere unless you *explicitly* specify port 22 either on the command line or in /etc/ssh_config. The default /etc/ssh_config on Mac OS X does not specify this, nor do users normally add "-p 22" to their ssh command lines, as far as I know. Ergo, broken SSH client, QED.

If you can't see this problem, you have apparently inadvertantly unborked the client config while you borked the server, so it happens to work for you. Or then you've simply not even tried SSH:ing out?

--Bud



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: alvarez on Jun 13, '04 06:48:43PM
Good grief. Why don't you advise people to change the port of their webservers too while you're at it.

Ha! I missed this the first time around. I had to do this too, not because of my current gig, but because of the paranoia of my veritable DSL providers, who block all incoming port 80 traffic.

[ Reply to This | # ]