Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: Change the default sshd port' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Change the default sshd port
Authored by: macubergeek on Jul 19, '05 07:07:17AM

This writeup is interesting BUT....
changing the sshd port adds nothing to one's security posture. A quick nmap of the ports and a netcatting will quickly identify the new sshd port.
Adding appropriate firewall rules controlling the source port that can reach sshd would add a little more security. Authenticating via RSA SecurID would add still more.



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: macshome on Jul 19, '05 09:27:03AM

Running ssh on a different port though will stop the ENDLESS ssh scans that seem to blight the internet these days from pounding your Mac.

It, as well as disabling ssh login for root, will prevent OD replica _creation_ on Mac OS X Server, so watch out for that. Once you have a replica created you can re-diddle ssh.

Josh

---
http://www.afp548.com
Breaking my server to save yours.



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: Anonymous on Jul 20, '05 03:12:00AM

I agree, changing port numbers is not a security measure. However, it can be useful in a number of situations. For example: traffic on port 22 may be blocked or considered suspicious by ISPs or a workplace thus choosing a different port (such as 443) can be a great alternative.



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: JLG on Nov 20, '08 02:37:21PM

Not to disagree for the sake of disagreeing, but changing the ssh port is definitely a security measure, for the reason Josh mentions. Those ssh bots hammer port 22 on any server running ssh on the default port, to the point that they can overwhelm DirectoryServices, creating a DOS attack. If the scans are successful in guessing a password, your system is hacked. By changing the ssh port, you remove the server's exposure to these bots--so yes, it is a security measure.



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: paulsomm on Nov 08, '05 08:21:46PM

Perhaps, but the point of this really isn't for added security so much as obsfucation. I have passwords disabled, rely solely on keys, and have my account as the only one allowed to ssh and only from set machines. I'm not worried about someone getting in. But I do want to stop the endless script kiddie attacks as each attempt to log in spawns a new SSHD service. Watching the traffic hit port 22, I can see sometimes dozens of SSHD processes running.

By obsfucating the port, at least the worms/zombies/script kiddies trying port 22 will not even get to my machine.



[ Reply to This | # ]