Last Updated on July 15, 2017 by Dave Farquhar
A week or two ago, a stranger approached me with some advice about securing routers: move SSH off port 22.
Since arguing with strangers is what the Internet was apparently invented for, I’ll argue against the benefits of moving SSH off port 22.
The problem is that you have 65,534 other places to hide SSH. In this day and age, that isn’t much. The command to find it is nmap -p1-65535 -sV (your IP address), which anyone who can use Google can find in five minutes. That command will find not only your hidden SSH, but everything else you might be running. It takes a few minutes to run, but it’s only a few minutes.
Sure, someone in a hurry might just look for SSH running on port 22, but it’s far more likely that an attacker will probe on most ports to see if you’re running anything else interesting. I also subscribe to the theory that someone running SSH on a port other than 22 is more interesting than someone running it on the default port. Someone who’s going to move SSH either has something they want to hide or has multiple hosts.
You don’t protect your services by running on a weird port. Your protection comes from your authentication. Disallow logins from root through SSH, or if you’re running DD-WRT, don’t use a username like root or admin or administrator or another common user ID used for admin accounts. Even a username like bob would be better, though I’d recommend something a bit more random. Then put a strong password on that username–something along the lines of four random words plus at least one number or symbol. If the person needs to connect as root, make them use sudo or su after login.
With an unknown username and a long password, it doesn’t matter if someone finds you on port 22. It’s going to take years for them to figure out your username and password. Probably longer than your router’s life expectancy anyway.
This is an example of security by obscurity. Technically it works. It keeps out some impatient hackers and slows the determined ones down by five minutes. But obscuring the username and using a strong password keeps even the patient hackers out for years. It doesn’t hurt, as long as you’re doing other stuff. But five more minutes of security doesn’t help much, either. Over the course of your device’s lifetime, the nonstandard SSH port causes you more inconvenience than it does your attacker.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
“Since arguing with strangers is what the Internet was apparently invented for…”
Toward
Rational and
Objective
Logical
Linkage