[wolrah]

> I don’t agree. Because the minute you change the port, you just become of more interest.

How does anyone know I changed the port to find me more interesting?

> But venture anywhere off the beaten path, and a place like shodan is the most benevolent of those kind of places, and it still takes about an hour for your IP and newly opened SSH port to be indexed.

I just checked the first VoIP server I ever deployed with a non-standard SIP port. It's been up for a decade and provides public facing services so its accessible to the global internet minus whatever systems have found their way in to our denylist over the years. It's not listening on the standard port 5060, but the port we chose is not particularly uncommon as it's a recommended alternative in the documentation of the platform we're using. Shodan has found this server and scanned it repeatedly over the years, but it still has no idea what port SIP is listening on. It only sees 80/443 for the public-facing web UI.

The thing about non-standard ports is that unless your service identifies itself with a banner or similar upon connection the attacker has to open with a valid request to receive a response. If someone connects to my SIP server and sends a HTTP GET, they're not going to get a response despite how similar SIP and HTTP are. They have to connect to the non-standard SIP port and then send a valid SIP message to identify my service.

[k_roy]

> How does anyone know I changed the port to find me more interesting?

I responded to this elsewhere.

> I just checked the first VoIP server I ever deployed with a non-standard SIP port. It's been up for a decade and provides public facing services so its accessible to the global internet minus whatever systems have found their way in to our denylist over the years.

And that is what is called “UDP”. Also the “spray and pray” of the networking world. Meaning, you literally don’t get a response.

Fundamental difference.

> The thing about non-standard ports is that unless your service identifies itself with a banner or similar upon connection the attacker has to open with a valid request to receive a response.

Which is exactly what ssh does and the point of why comparing the two and obscuring the port/IP makes no difference.

[wolrah]

> And that is what is called “UDP”. Also the “spray and pray” of the networking world. Meaning, you literally don’t get a response.

> Fundamental difference.

And that is what's is called a bad assumption. SIP also uses TCP, and these days it's pretty common for end-user facing services because of both NAT being terrible and more data being crammed in to messages leading to fragmentation issues with UDP. This particular system's services facing the open internet are 100% TCP.

> Which is exactly what ssh does and the point of why comparing the two and obscuring the port/IP makes no difference.

Yes, SSH does have a banner by default, but it's possible to change that behavior.

Sure, if an attacker is specifically targeting your IP and has some ideas what services you might be running then it's hard to entirely hide, but when you're just another system on the internet no one's going to put the effort in to look for services on odd ports.

I have dozens of systems out there running SSH on a port that's not 22 as well and most of them have never logged a SSH ban on fail2ban after years of operation.

The ones that listen on port 22 on the other hand log literally thousands a day.

[dfawcus]

One could always arrange for the SSH server to start its announce as follows:

    554 server.local Mail server not ready
    SSH-2.0-

and see how probers react, especially if one has the server listening on port 25, or even port 587