[wolrah]

To be fair, changing the SSH port does MASSIVELY cut down on the amount of log spam from low-effort scans.

Obscurity isn't security, but hiding still makes you harder to find. In other words the lock is just as good or bad as it always was but a lot less people are going to jiggle the handle.

Changing default service ports is a good thing and is one of the reasons everyone should be in favor of software supporting SRV/SVCB records so services can be hosted on arbitrary ports while still being accessible with a plain DNS name everyone's used to using.

That shouldn't be lumped in with pure idiocy like disabling SSID broadcast or believing that IPv6 inherently exposes your network to the world.

Ironically disabling SSID beaconing on wireless APs actually results in clients configured to use those networks broadcasting looking for them wherever they go, for those who want to hide a network it's the literal opposite of their desired result.

[sfink]

Yeah, I changed my SSH port for the same reason. I don't feel any more secure as a result, but now I can just watch the raw logs to see the incoming probes. They trickle in slowly, rather than being a constant flood, so I can watch the raw log for other purposes without it being inundated with noise that I have to filter out in order to be able to pay attention to anything else. That, and the logs use less space on disk.

[k_roy]

I don’t agree. Because the minute you change the port, you just become of more interest.

As you said, only the low effort bots scan the standard ports.

But venture anywhere off the beaten path, and a place like shodan is the most benevolent of those kind of places, and it still takes about an hour for your IP and newly opened SSH port to be indexed.

[wolrah]

> I don’t agree. Because the minute you change the port, you just become of more interest.

How does anyone know I changed the port to find me more interesting?

> But venture anywhere off the beaten path, and a place like shodan is the most benevolent of those kind of places, and it still takes about an hour for your IP and newly opened SSH port to be indexed.

I just checked the first VoIP server I ever deployed with a non-standard SIP port. It's been up for a decade and provides public facing services so its accessible to the global internet minus whatever systems have found their way in to our denylist over the years. It's not listening on the standard port 5060, but the port we chose is not particularly uncommon as it's a recommended alternative in the documentation of the platform we're using. Shodan has found this server and scanned it repeatedly over the years, but it still has no idea what port SIP is listening on. It only sees 80/443 for the public-facing web UI.

The thing about non-standard ports is that unless your service identifies itself with a banner or similar upon connection the attacker has to open with a valid request to receive a response. If someone connects to my SIP server and sends a HTTP GET, they're not going to get a response despite how similar SIP and HTTP are. They have to connect to the non-standard SIP port and then send a valid SIP message to identify my service.

[k_roy]

> How does anyone know I changed the port to find me more interesting?

I responded to this elsewhere.

> I just checked the first VoIP server I ever deployed with a non-standard SIP port. It's been up for a decade and provides public facing services so its accessible to the global internet minus whatever systems have found their way in to our denylist over the years.

And that is what is called “UDP”. Also the “spray and pray” of the networking world. Meaning, you literally don’t get a response.

Fundamental difference.

> The thing about non-standard ports is that unless your service identifies itself with a banner or similar upon connection the attacker has to open with a valid request to receive a response.

Which is exactly what ssh does and the point of why comparing the two and obscuring the port/IP makes no difference.

[wolrah]

> And that is what is called “UDP”. Also the “spray and pray” of the networking world. Meaning, you literally don’t get a response.

> Fundamental difference.

And that is what's is called a bad assumption. SIP also uses TCP, and these days it's pretty common for end-user facing services because of both NAT being terrible and more data being crammed in to messages leading to fragmentation issues with UDP. This particular system's services facing the open internet are 100% TCP.

> Which is exactly what ssh does and the point of why comparing the two and obscuring the port/IP makes no difference.

Yes, SSH does have a banner by default, but it's possible to change that behavior.

Sure, if an attacker is specifically targeting your IP and has some ideas what services you might be running then it's hard to entirely hide, but when you're just another system on the internet no one's going to put the effort in to look for services on odd ports.

I have dozens of systems out there running SSH on a port that's not 22 as well and most of them have never logged a SSH ban on fail2ban after years of operation.

The ones that listen on port 22 on the other hand log literally thousands a day.

[dfawcus]

One could always arrange for the SSH server to start its announce as follows:

    554 server.local Mail server not ready
    SSH-2.0-

and see how probers react, especially if one has the server listening on port 25, or even port 587

[Dylan16807]

More interest to who? This comes across like you're telling a spooky story at a campfire. Being 2% more interesting than the average server is not going to get you hacked by some elite crew.

[k_roy]

You want to talk about spooky campfire stories? Let’s have another OpenSSL/ssl zero day.

The point is it takes a script kiddy about 5 minutes to scan the whole 4 billion IPs for your port 22 server.

It takes about 90 seconds for the fact that you opened up a random high numbered port that is an SSH service to show up on the list of people that are probably exponentially more intelligent than the normal script kiddy scanning the internet

This does not make you more or less likely to be hacked just for having SSH open. But hey,go go gadget whatever.

[Dylan16807]

> This does not make you more or less likely to be hacked just for having SSH open.

A) The comment you responded to didn't claim you're less likely to be hacked, they said it cuts down on log spam.

B) When you talked about just becoming of more interest to non-benevolent places, was that not a suggestion you're more likely to be hacked? Then I think you phrased that pretty badly.

[k_roy]

> “ More interest to who?”

And

> elite hacking crew

It was your comment. Not to mention the blog post to which I originally responded to said “ you might not want to put your servers on low numbered IPs “

Step 1, know the difference between UDP and TCP and even a few of the implications

Yep. Party on

[Dylan16807]

I did say those words. And I said them after the comment I'm asking about. They are irrelevant to my question, because I'm asking what the comment I originally replied to meant.

You said "the minute you change the port, you just become of more interest" and then talked about places that are less "benevolent" than shodan.

Is being of "more interest" to less "benevolent" places supposed to imply an increased risk of being hacked, or not?

[MrHamburger]

If you change your SSH port on your Linux machine you might be misidentified as Windows machine, because these usually does not have SSH, thus next step will go for RDP. Nothing there either.

Sure next step can be going for a port scan, but how big scan do you want to do before fail2ban or similar will lock you out?

[justsomehnguy]

> you just become of more interest

Exactly the opposite. If you did change the default than it can signal what you are harder to break. Malware owners aren't interested in 'more interesting' addresses or machines, they are interested in machines which can be easily identified to be susceptible for exploiting. In the end their ware is a cheap computing resources.

If you ever run machines in a diverse environments then you could had seen by just a simple 'There were N failed attempts since last logon' what the machines with a non-standard SSH port receive way less attention than the machines on the defaults.

[k_roy]

Yep. Because targeting 5k IPs is way harder than targeting all 4 billion

[justsomehnguy]

Guess you forgot what you was talking (and I was responding to) about the ports not addresses.