Subj : Re: SSH or no? (was: Nightmares / Dreams)
To   : 2twisty
From : Andre
Date : Thu Mar 31 2022 19:09:43

 2t> 1) Having the well-known ports open (22/23) is more of a risk for
 2t> portscan/DDOS than obfuscated ports. Not that 2222 and 2323 aren't OBVIOUS
 2t> alternatives... 

It probably limits it a bit, but it's not worth the bother. Tools like Shodan can find SSH across any port, or any of the other mass scanners can do the same thing. If someone finds a zero day for OpenSSH, it's not going to make any difference what port you're listening on because it's already been scanned and found and put into a database.

 2t> 2) instead of moving sshd on the internal network, just port forward 22
 2t> and 23 to 2222 and 2323 respectively in the firewall. That way when you

Sure, whatever works. My SSH clients all have my high port in the server profile. If you're typing into a client, that'd save you the time of adding :5555 or whatever to the end.

I do it my way because I want my BBS client to connect on 22/23 regardless of whether I'm on or off network. I guess I could PAT from LAN to DMZ, but for me that's more effort than just changing the sshd port.

All personal preference. 


- Andre
--- SBBSecho 3.15-Linux
 * Origin: Radio Mentor BBS - bbs.radiomentor.org (21:3/117)

.