Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Additionally having a non-standard port does help defend against 0day exploits before patches are available or before you are able to disable the port.


The proper solution to this is having a separate management network that already requires authentication for getting into.

However, indeed. Minimized log noise is great for analyzing anomalies manually.


When was the last preauth remote vulnerability in OpenSSH?


nevertheless, past performance is not an indicator of future outcomes, right?


Past performance doesn't guarantee future performance. It's usually a very strong indicator.

Putting SSH on a nonstandard port is pretty silly.


> Putting SSH on a nonstandard port is pretty silly.

what's the alternative while still keeping ssh logs that aren't filled with thousands of login attempts from bots per day? afaik there isnt any solution that is both as simple and as effective as changing the port.


Access behind VPN connection. Or deal with the logs in a better way. If SSH noise bothers you, you can either direct it to a different file, or setup a log aggregator where it's trivial to see what you want (or filter out what you don't by default)


fail2ban will cut down on log noise signficantly, while still allowing you to operate on the standard port. It also thwarts brute-force login attempts, if you're using password authentication. (Which you shouldn't, without good reason. Use public key authentication.)


I like pam_shield a bit better than fail2ban. It's directly tied to pam, versus trolling logs, so the configuration and operation is cleaner.


https://github.com/jtniehof/pam_shield

Last commit June 2012? Does it work with modern distros?


Yes. Using it now with Ubuntu 18.04. Available via apt-get.


Not sure if it’s sad or hilarious that people recommend fail2ban as a solution to log spam (or as a solution to anything really)

Do you really think making firewalling decisions based on unstructured attacker-controlled log data is a good idea?


You control what fail2ban does with said log data and what actually gets logged. There are better ways than fail2ban of course but it's not the worst solution on the planet.


If you're using regex to parse attacker controlled files I'm not entirely sure if you're in control.

Many unexpected things can happen, as a simple example SSH can generate log entries like this

  Jan 30 17:37:04 server sshd[26695]: Invalid user root from 127.0.0.1 from 10.0.0.1
The default rules can deal with this specific example, but this is certainly a path I wouldn't want to go down myself.


Could you please expand on your point ? I understand that security by obscurity is not optimal, but I don't see a good reason not to switch ports.


i think the main argument for leaving it default is [1] for any additional/new sysadmin that has to touch the system. but imo this goes both ways; i'd rather not have my house key hidden under my doormat, where every burglar can check for it in a few seconds. if i taped the key to a random tree branch (even in plain sight), it would be a much safer bet.

[1] https://en.wikipedia.org/wiki/Principle_of_least_astonishmen...


If you're going to insist on a security analogy involving keys and doors in the real world, a better one would be that the attacker has to search every single atom of the doormat to find the key. If you have PubKeyAuthentication enabled and PasswordAuthentication disabled, the world will end before the attacker finds your key (in expectation).

Changing SSH to a non-standard port is an inelegant solution and doesn't actually bolster security.


Does it _harm_ security?


Perahaps not directly, but it does add to cognitive overhead and makes securing the system as a whole more difficult.

If your environment contains multiple ssh servers running on non-standard ports you would not notice when something out of the ordinary happens.

Something listening to an unexpected port should be something you must look into, not shrug at.


So standardize on a non-standard port, document it and when you do have ssh probes assume it's targeted rather than just another l33t child running du-jour crack(x).

Moving to non-standard means more sophisticated discovery and possibly a more sophisticated attempt.


No, but it is non-standard. Why do things you don't need to?


One reason is because setting it to a random high port allows non-root users to turn on the SSH server if the admin turned it off. Probably not super likely to happen, but it's possible.


It doesn’t need to be on a random high port, just not port 22. 222, for example.


This is a silly opinion. Of course it's helpful and very useful when used in conjunction with other hardening measures.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: