Oddball SSH port

[Matthew Carpenter]

On Tuesday 30 October 2007, Michael Hipp wrote:
> Forgive if this is a stoopid question...
>
> I'm starting to change a lot of my remote servers to have SSH listen on
> an oddball port. (A small bit of obfuscation that slows down the
> crackers ... whose population seems to be on an asymptote with infinity.)
>
> Is there any discernible advantage to /which/ oddball port I choose? Is
> any one of the following, for example, any better than another?
>
>      52, 502, 5002, or 50002
>
> Just wondering if any part of the port numbering space is less of a
> target than another. Or if there are technical issues I'm not aware of.

If your goal is to limit the autorooters (scripts which exploit SSH vulns) 
then you're fine.  If you truly are interested in slowing down the badguys, 
guess again.  Simply nudging SSH (using nmap -A for example) gives up the 
goods too easily...  Full nmap scans, like those of a dangerous attacker, 
will turn up the port as open, and SSH gives itself away.

$ nc -v eisgr.com 22
mystuff.com [ww.xx.yy.zz] 22 (ssh) open
SSH-2.0-OpenSSH_3.9p1


$ nmap -p22 -A mystuff.com

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-14 07:50 EST
Interesting ports on mystuff.com (ww.xx.yy.zz):
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 3.9p1 (protocol 2.0)

Service detection performed. Please report any incorrect results at 
http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 1.978 seconds


-- 
Matthew Carpenter
mcarpenter at intelguardians.com
http://www.intelguardians.com

PGP Fingerprint: 
87EB 54A8 FB42 0A0E B8AE CDA7 FF99 2A64 E70F 4466
hkp://wwwkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.celestial.com/pipermail/linux-users/attachments/20071114/d175ac1d/attachment-0002.bin