Why is moving the SSH port Security by Obscurity? Its log cleaning by avoiding annoying portscans, nothing else..
There is NO Security gained by moving the port. If you think random portscans are a security risk to your SSH server you should seriously reconsider your SSH configuration.
You might not get compromised in the first wave of IP scanners that try the 0day on port 22, port 2222, and maybe a few other common alternatives. This first wave will pass in about 5 minutes.
Subsequent waves will just try every port. This isn't costly, they have an army of compromised machines from the first wave.
Can you give me an example of a real-world worm that has scanned every port on every system on the internet? I haven't seen one, but if it exists, I'd be curious to see it. I'm speaking based on the actual exploits I've seen in the wild over the past 15-20 years, not what is hypothetically possible.
Not every port, but maybe you remember this: http://arstechnica.com/security/2013/03/guerilla-researcher-... The article also details an earlier cataloging where a researcher probed 18 ports 3-4 times a day over the ipv4 address space. Tools like ZMap or MASSCAN make it easy for anyone to scan as many ports as they can, but I haven't heard of any worm that systematically tried all 65535 ports of all addresses. Though I would bet a lot of money that an OpenSSH 0day that bypassed all authentication would result in several such worms from multiple actors who already control hundreds of thousands of devices.
I don't think this is realistic at all. The first wave will hit 22. A second wave maybe 2222. Are you suggesting botnets will eventually scan 4^32 * 65536 using a scanner which performs multiple-packet connections?
Nope. SSHd running on port 26432 will likely never get hit; at a minimum it will buy you weeks to patch.
Where's your 4^32 coming from? There are only 2^32 ipv4 addresses. You may be right that the first wave would just target port 22 and the second 2222 and so on, an actual attack would probably have some interesting implementation details besides that too for pruning or host retry or something else.
Why do you think at minimum you would have weeks? Run the numbers for botnets of various sizes with a measly 10 Mbps network connection each, it doesn't look very good. Under normal circumstances yeah port 26432 is no more likely to be hit than any other high port, but an ssh 0day bypassing authentication is an incredibly valuable exception where now trying everything can be worth it for a little while.
Yeap I need to coffee before I try to math, not sure how I got to 4^32.
Thats an interesting point - I wonder if anyone has the numbers on how long it would take to poke each tcp port on each IPv4 address? or has done it?
One could argue that with an SSH 0day you'll infect 99% of hosts by hitting port 22 alone, and the 65000x effort required to find the others is of marginal return. A counter-point to that is that you may find some more interesting systems hanging out on other ports - less home routers and more boxes used by people who changed the default port as the kind of "hardening" procedure we're talking about in this thread.
The industry established response to the security risk of possible openssh 0days blown into the wild is moving the sshd port LOL
aka i don't care thats not a useful argument. Should that ever happen a lot of us would propably get rich on overtime payment, poor on free time and glad that we have good offline backups. One server pwned 5 mins later, or by pwning the data center..
Do you secure your servers against russian invasions?
