Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 40

Thread: Is it safe to open port 22 (SSH) from DMZ to LAN

  1. #11
    Join Date
    Nov 2005
    Location
    South Yorkshire, UK
    Beans
    238
    Distro
    Xubuntu 10.04 Lucid Lynx

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    Quote Originally Posted by hyper_ch View Post
    if those several hundred attempts just check port 22 then you don't have to worry about them anyway
    You should be concerned about all unauthorized attempts to access your SSH server, be it by bot or human. Unless there is some pressing reason to stay with 22 you should always change the default port.

  2. #12
    Join Date
    Jun 2006
    Location
    Switzerland
    Beans
    Hidden!
    Distro
    Kubuntu Jaunty Jackalope (testing)

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    why should I be concerend about script kiddies? denyhosts takes care of that...

    Those that one really need to be worried about are those, that try also the other ports... and for them changing ports will not change anything... except that quite a few thing that relay somehow on SSH will have a lot more troubles (e.g. rsyncing over ssh)

  3. #13
    Join Date
    Nov 2005
    Location
    South Yorkshire, UK
    Beans
    238
    Distro
    Xubuntu 10.04 Lucid Lynx

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    Denyhosts isn't everything, nothing wrong with using both.

    Even the denyhosts FAQ suggests to change the port, it is just good practice.

    And for the record I've never had any problems with changing the SSH port, including with rsync.
    Last edited by yaztromo; May 28th, 2008 at 10:05 PM.

  4. #14
    Join Date
    Jun 2006
    Location
    Switzerland
    Beans
    Hidden!
    Distro
    Kubuntu Jaunty Jackalope (testing)

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    I know denyhosts isn't everything... it stops the script kiddies... and it may help against serious hackers... however changing ports will not help against serious hackers - you'll just make feel yourself safer why no additional security is added.

  5. #15
    Join Date
    Nov 2005
    Location
    South Yorkshire, UK
    Beans
    238
    Distro
    Xubuntu 10.04 Lucid Lynx

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    Yet additional security is added. If a new flaw is found in SSH before it is patched, my server is lot safer (through obscurity) from bots checking port 22 that know about the new flaw, denyhosts only really prevents agaisnt brute forcing, which is not good enough for serious use.

    You have to remember that additional security is added on every little precaution you take.

  6. #16
    Join Date
    Jun 2006
    Location
    Switzerland
    Beans
    Hidden!
    Distro
    Kubuntu Jaunty Jackalope (testing)

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    you think that by changing port additional security will be added... this is not the case.

  7. #17
    Join Date
    Dec 2005
    Location
    USA
    Beans
    886
    Distro
    Ubuntu

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    Quote Originally Posted by hyper_ch View Post
    you think that by changing port additional security will be added... this is not the case.
    I disagree.

    Take a standard cylinder of some sort. Put it out in the rain. If you have a hole in the top then the rain, as it continually pounds against it, will more easily get in. But if you put a hole in the bottom instead then the rain will have a harder time getting in. It is still possible but it will take longer and will require even more rain.

    The cylinder is your computer. Moving the hole (port) will not make you 100% secure, but it will add to your security by making the entrance so much more difficult to find.

    Sincerely,
    Richard
    I use both Windows and Linux. Is that a crime? || Ubuntu User # 16597

  8. #18
    Join Date
    Jun 2006
    Location
    Switzerland
    Beans
    Hidden!
    Distro
    Kubuntu Jaunty Jackalope (testing)

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    you have the hole anyway... so your analogy fails

  9. #19
    Join Date
    Dec 2005
    Location
    USA
    Beans
    886
    Distro
    Ubuntu

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    Quote Originally Posted by hyper_ch View Post
    you have the hole anyway... so your analogy fails
    Going by the logic of this last sentence it sounds like the only good solution is to close the hole. I agree, closing the hole would make your server MUCH more secure, but the whole point is to have the hole open in a way that can make the server as safe and secure as possible.

    Coupling a different port # along with denyhosts (notice how I've never disagreed with using a third party security tool to help secure OpenSSH) WILL cut down on intrusion attempts.

    The less intrusion attempts you have the less likely you are to have a break in.

    Because, you know, all it takes is for that bot program to guess the right username/password combination ONCE to get past that fancy third party tool. BUT, if the bot program is looking on port 22 and you are listening on 22222 then it doesn't matter HOW many times it tries, it will NOT get in.

    Will this completely stop a true professional? No, but that is why you have the third party tool (DenyHosts), to stop that.

    No matter what you do, if a true professional manages to guess the right username/password combo, and the right port, they still get access to your files.

    Every little bit help. Once again, moving the port will not make you 100% secure, but it will ADD to it. Value added protection by changing one simple item.

    Sincerely,
    Richard
    I use both Windows and Linux. Is that a crime? || Ubuntu User # 16597

  10. #20
    Join Date
    Apr 2008
    Location
    UK
    Beans
    1,098

    Re: Is it safe to open port 22 (SSH) from DMZ to LAN

    Quote Originally Posted by rickyjones View Post
    Every little bit help. Once again, moving the port will not make you 100% secure, but it will ADD to it. Value added protection by changing one simple item.
    I don't really care what non-standard ports people choose to run services on but claiming it adds any security whatsoever is incorrect. Doing it because it eliminates scripted probes is a personal choice and on those grounds I'd go along with it, even though I think it is silly. Promoting it as a security measure is a different matter.

    The security of ssh rests on strong passwords or rsa/dsa keys. Anyone using weak passwords hasn't any useful input to make to this topic.

    Now, how long would it take to brute force an rsa key? Let's be conservative and say 1,000,000 years. And how long to discover which port sshd is listening on. A really inept scan might take a week. Not exactly value added protection and sufficient to indicate how little changing ports adds to security.
    Brian.

Page 2 of 4 FirstFirst 1234 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •