Moving SSH off port 22 doesn’t do much for security

A week or two ago, a stranger approached me with some advice about securing routers: move SSH off port 22.

Since arguing with strangers is what the Internet was apparently invented for, I’ll argue against the benefits of moving SSH off port 22.

The problem is that you have 65,534 other places to hide SSH. In this day and age, that isn’t much. The command to find it is nmap -p1-65535 -sV (your IP address), which anyone who can use Google can find in five minutes. That command will find not only your hidden SSH, but everything else you might be running. It takes a few minutes to run, but it’s only a few minutes.

Moving SSH doesn't help security
This meme shows the physical equivalent of moving SSH to a different port. Someone can just sidestep the path.

Sure, someone in a hurry might just look for SSH running on port 22, but it’s far more likely that an attacker will probe on most ports to see if you’re running anything else interesting. I also subscribe to the theory that someone running SSH on a port other than 22 is more interesting than someone running it on the default port. Someone who’s going to move SSH either has something they want to hide or has multiple hosts.

You don’t protect your services by running on a weird port. Your protection comes from your authentication. Disallow logins from root through SSH, or if you’re running DD-WRT, don’t use a username like root or admin or administrator or another common user ID used for admin accounts. Even a username like bob would be better, though I’d recommend something a bit more random. Then put a strong password on that username–something along the lines of four random words plus at least one number or symbol. If the person needs to connect as root, make them use sudo or su after login.

With an unknown username and a long password, it doesn’t matter if someone finds you on port 22. It’s going to take years for them to figure out your username and password. Probably longer than your router’s life expectancy anyway.

This is an example of security by obscurity. Technically it works. It keeps out some impatient hackers and slows the determined ones down by five minutes. But obscuring the username and using a strong password keeps even the patient hackers out for years. It doesn’t hurt, as long as you’re doing other stuff. But five more minutes of security doesn’t help much, either. Over the course of your device’s lifetime, the nonstandard SSH port causes you more inconvenience than it does your attacker.

One thought on “Moving SSH off port 22 doesn’t do much for security

  • May 12, 2016 at 10:41 am
    Permalink

    “Since arguing with strangers is what the Internet was apparently invented for…”

    Toward
    Rational and
    Objective
    Logical
    Linkage

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux