[k_roy]

I don’t agree. Because the minute you change the port, you just become of more interest.

As you said, only the low effort bots scan the standard ports.

But venture anywhere off the beaten path, and a place like shodan is the most benevolent of those kind of places, and it still takes about an hour for your IP and newly opened SSH port to be indexed.

[wolrah]

> I don’t agree. Because the minute you change the port, you just become of more interest.

How does anyone know I changed the port to find me more interesting?

> But venture anywhere off the beaten path, and a place like shodan is the most benevolent of those kind of places, and it still takes about an hour for your IP and newly opened SSH port to be indexed.

I just checked the first VoIP server I ever deployed with a non-standard SIP port. It's been up for a decade and provides public facing services so its accessible to the global internet minus whatever systems have found their way in to our denylist over the years. It's not listening on the standard port 5060, but the port we chose is not particularly uncommon as it's a recommended alternative in the documentation of the platform we're using. Shodan has found this server and scanned it repeatedly over the years, but it still has no idea what port SIP is listening on. It only sees 80/443 for the public-facing web UI.

The thing about non-standard ports is that unless your service identifies itself with a banner or similar upon connection the attacker has to open with a valid request to receive a response. If someone connects to my SIP server and sends a HTTP GET, they're not going to get a response despite how similar SIP and HTTP are. They have to connect to the non-standard SIP port and then send a valid SIP message to identify my service.

[k_roy]

> How does anyone know I changed the port to find me more interesting?

I responded to this elsewhere.

> I just checked the first VoIP server I ever deployed with a non-standard SIP port. It's been up for a decade and provides public facing services so its accessible to the global internet minus whatever systems have found their way in to our denylist over the years.

And that is what is called “UDP”. Also the “spray and pray” of the networking world. Meaning, you literally don’t get a response.

Fundamental difference.

> The thing about non-standard ports is that unless your service identifies itself with a banner or similar upon connection the attacker has to open with a valid request to receive a response.

Which is exactly what ssh does and the point of why comparing the two and obscuring the port/IP makes no difference.

[wolrah]

> And that is what is called “UDP”. Also the “spray and pray” of the networking world. Meaning, you literally don’t get a response.

> Fundamental difference.

And that is what's is called a bad assumption. SIP also uses TCP, and these days it's pretty common for end-user facing services because of both NAT being terrible and more data being crammed in to messages leading to fragmentation issues with UDP. This particular system's services facing the open internet are 100% TCP.

> Which is exactly what ssh does and the point of why comparing the two and obscuring the port/IP makes no difference.

Yes, SSH does have a banner by default, but it's possible to change that behavior.

Sure, if an attacker is specifically targeting your IP and has some ideas what services you might be running then it's hard to entirely hide, but when you're just another system on the internet no one's going to put the effort in to look for services on odd ports.

I have dozens of systems out there running SSH on a port that's not 22 as well and most of them have never logged a SSH ban on fail2ban after years of operation.

The ones that listen on port 22 on the other hand log literally thousands a day.

[dfawcus]

One could always arrange for the SSH server to start its announce as follows:

    554 server.local Mail server not ready
    SSH-2.0-

and see how probers react, especially if one has the server listening on port 25, or even port 587

[Dylan16807]

More interest to who? This comes across like you're telling a spooky story at a campfire. Being 2% more interesting than the average server is not going to get you hacked by some elite crew.

[k_roy]

You want to talk about spooky campfire stories? Let’s have another OpenSSL/ssl zero day.

The point is it takes a script kiddy about 5 minutes to scan the whole 4 billion IPs for your port 22 server.

It takes about 90 seconds for the fact that you opened up a random high numbered port that is an SSH service to show up on the list of people that are probably exponentially more intelligent than the normal script kiddy scanning the internet

This does not make you more or less likely to be hacked just for having SSH open. But hey,go go gadget whatever.

[Dylan16807]

> This does not make you more or less likely to be hacked just for having SSH open.

A) The comment you responded to didn't claim you're less likely to be hacked, they said it cuts down on log spam.

B) When you talked about just becoming of more interest to non-benevolent places, was that not a suggestion you're more likely to be hacked? Then I think you phrased that pretty badly.

[k_roy]

> “ More interest to who?”

And

> elite hacking crew

It was your comment. Not to mention the blog post to which I originally responded to said “ you might not want to put your servers on low numbered IPs “

Step 1, know the difference between UDP and TCP and even a few of the implications

Yep. Party on

[Dylan16807]

I did say those words. And I said them after the comment I'm asking about. They are irrelevant to my question, because I'm asking what the comment I originally replied to meant.

You said "the minute you change the port, you just become of more interest" and then talked about places that are less "benevolent" than shodan.

Is being of "more interest" to less "benevolent" places supposed to imply an increased risk of being hacked, or not?

[MrHamburger]

If you change your SSH port on your Linux machine you might be misidentified as Windows machine, because these usually does not have SSH, thus next step will go for RDP. Nothing there either.

Sure next step can be going for a port scan, but how big scan do you want to do before fail2ban or similar will lock you out?

[justsomehnguy]

> you just become of more interest

Exactly the opposite. If you did change the default than it can signal what you are harder to break. Malware owners aren't interested in 'more interesting' addresses or machines, they are interested in machines which can be easily identified to be susceptible for exploiting. In the end their ware is a cheap computing resources.

If you ever run machines in a diverse environments then you could had seen by just a simple 'There were N failed attempts since last logon' what the machines with a non-standard SSH port receive way less attention than the machines on the defaults.

[k_roy]

Yep. Because targeting 5k IPs is way harder than targeting all 4 billion

[justsomehnguy]

Guess you forgot what you was talking (and I was responding to) about the ports not addresses.