Index ¦ Archives ¦ Atom

Changing SSH from port 22

Changing the SSH service to run a port other than 22 is fairly common security practice but I don't like it. The problem is that I find it really hard to argue against doing it, because it works.

What ever else I might say in this post it doesn't change the fact that changing SSH to another port works. That is to say that it's an effective way to stop /var/log/auth.log from filling up with spam making it hard to find important logs. Also for the most part it thwarts the run of the mill bruteforcing worms / botnets from hammering on your server which (assuming you have password auth) might eventually get lucky. Just as an example as I write this I went to look at the logs for the server hosting xo.tc for the last 24 hours, and counted over 50 distinct IP addresses that have tried to brute force their way in before I gave up and stopped counting.

But despite the fact that it's easy to implement and effective, something about it just feels wrong to me. I think the main reason is that I'm a huge fan of Kerckhoffs's principle the idea that everything about a system, except the key, is public knowledge. SSH is a perfect example of that, you can view the entire source code for OpenSSH. I could publish my sshd_config and my authorized_keys (or if I had enabled password authentication my /etc/shadow file1). You can study every detail of how SSH works, and still not be able to access my server without my key2.

I feel like you should assume that attackers will know which port you are running SSH on. Assuming it is unknown could lead people into a false sense of security, I haven't seen this but I could easily imagine someone thinking "I don't need a strong password on my server because they will never guess my SSH port".

The other reason I don't like changing the port is that I do like things to stick to the standards, it make it easier for everyone. If you're administering an outbound firewall and you see that outbound connections to a particular IP address on port 22 are allowed, it's fairly safe to assume that it's SSH, and not someone who has decided it would be fun to run their HTTP web server on a funny port. But if you see connections allowed on port 4489, that could be anything.

There are other ways to achieve more or less the same results as changing your SSH port and increase security. For example if you know the addresses you will be SSHing in from, you can simply firewall off all other addresses, job done. While it's much more affective to have a whitelist than a blacklist, if you're not sure about where your connections might be coming from you can install something like fail2ban and block any address after a few failed attempts. It doesn't totally stop the spam in your logs but it should reduce it to a manageable volume.

As said at the beginning of this post, changing SSH to another port does reduce the number of bots trying to brute force your server. But I don't like it, it just feels too much like security through obscurity to me.


  1. You could run an offline brute force / dictionary attack against the hash but with a well chosen password and a good hash like PBKDF2 this should still be secure. 

  2. I'm assuming here that you don't have some sort of 0-day against the OpenSSH implementation of SSH or other software that I'm running on the server. Obviously there will be flaws in software but that's a diffrent issue. 

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.