Tilted Forum Project Discussion Community - View Single Post

ratbastid · 06-12-2005, 04:20 AM

Well, hang on there. There's nothing inherantly scarier about one port over another. And there's nothing magically secure about port 443. A port is a port. It has a server running on it. Those servers have functions. End of story. Port 443 can be "wrapped in SSL security" only if the server behind that port provides that function. I don't even know what you mean by that.

Port 22 is the common port for ssh (and scp, which is provided by sshd, but not sftp which is a different thing altogether). As a result there will be doorknob-rattle attempts on port 22 more than on other ports, maybe, but that's really all. Choose decent passwords and you'll be fine.

Now, ssh tunneling is a whole other issue. With ssh tunneling, you can route OTHER protocols and services over an ssh-encrypted connection. Protocols like X or POP or ftp, for instance. It doesn't have anything to do with putting ssh on a non-standard port. You could route your https traffic through an ssh tunnel on port 443, but that would require all https users to have a live ssh connection to your server, which you probably don't want.

You haven't said what distro you're using. To put ssh on a non-standard port, you either use inetd or you configure the server manually to its own port, in whatever config files your server comes with. That's pretty much it. My Windows ssh client of choice, PuTTY, lets you specify the port to connect with.

In short, if you can trust an ssh server on port 443, you can trust it just as well on port 22 (or 2222 or 2020). And there's no way to put ssh "behind" http or https, though if you really want to--and everyone who's hitting this website has an account to ssh to--you can route those services through ssh connections.

I recommend you open up one non-standard port for ssh. Look, you could just turn the computer off and it would be 100% secure, right? What you want here is to balance security against usability. That's the whole game with practical security management. As long as you keep up with patches, sshd should be adequately secure, even running on port 22. scp uses the same security functions as ssh, so there's no additional risk to letting that run. And I'm speaking as a guy who has had two dozen servers get completely pwned due to out-of-date sshd patches. Entirely my fault--I didn't keep up with it and I got what I deserved. Don't do that. I don't anymore!

Just out of curiosity: You keeping state secrets on this box? Why isn't the industry-standard secure shell application secure enough for you? Are you unable to open additional ports on your router or something?

06-12-2005, 04:20 AM	#5 (permalink)
ratbastid Darth Papa Location: Yonder	Well, hang on there. There's nothing inherantly scarier about one port over another. And there's nothing magically secure about port 443. A port is a port. It has a server running on it. Those servers have functions. End of story. Port 443 can be "wrapped in SSL security" only if the server behind that port provides that function. I don't even know what you mean by that. Port 22 is the common port for ssh (and scp, which is provided by sshd, but not sftp which is a different thing altogether). As a result there will be doorknob-rattle attempts on port 22 more than on other ports, maybe, but that's really all. Choose decent passwords and you'll be fine. Now, ssh tunneling is a whole other issue. With ssh tunneling, you can route OTHER protocols and services over an ssh-encrypted connection. Protocols like X or POP or ftp, for instance. It doesn't have anything to do with putting ssh on a non-standard port. You could route your https traffic through an ssh tunnel on port 443, but that would require all https users to have a live ssh connection to your server, which you probably don't want. You haven't said what distro you're using. To put ssh on a non-standard port, you either use inetd or you configure the server manually to its own port, in whatever config files your server comes with. That's pretty much it. My Windows ssh client of choice, PuTTY, lets you specify the port to connect with. In short, if you can trust an ssh server on port 443, you can trust it just as well on port 22 (or 2222 or 2020). And there's no way to put ssh "behind" http or https, though if you really want to--and everyone who's hitting this website has an account to ssh to--you can route those services through ssh connections. I recommend you open up one non-standard port for ssh. Look, you could just turn the computer off and it would be 100% secure, right? What you want here is to balance security against usability. That's the whole game with practical security management. As long as you keep up with patches, sshd should be adequately secure, even running on port 22. scp uses the same security functions as ssh, so there's no additional risk to letting that run. And I'm speaking as a guy who has had two dozen servers get completely pwned due to out-of-date sshd patches. Entirely my fault--I didn't keep up with it and I got what I deserved. Don't do that. I don't anymore! Just out of curiosity: You keeping state secrets on this box? Why isn't the industry-standard secure shell application secure enough for you? Are you unable to open additional ports on your router or something?