Hacker News new | past | comments | ask | show | jobs | submit login

Port 2222 seems to have become the official obscured SSH port. If you want less log spam, maybe choose another one.

Also it may be a good idea to use another port <1024 - iirc it's good to keep it to the port range where an unprivileged user cannot open anything, potentially impersonating the SSH service.

Although I'm not sure how an unprivileged user would be able to stop sshd in order to take over that port.




> potentially impersonating the SSH service

Assuming the remote client has authenticated the host in ~/.ssh/known_hosts and assuming your unprivileged user hasn't got access to the host's private SSH keys in /etc/ssh then I'm not sure how they can really impersonate the service.

On my system the private keys cannot be read by an unprivileged user. However, the trust-on-first-use model of SSH is an obvious Achilles heel.


> Although I'm not sure how an unprivileged user would be able to stop sshd in order to take over that port.

They just need to wait (or, leave their code running in wait) for an admin / system process to restart SSHD - e.g. when patching it.


In theory an unprivileged user can't obtain privileged port numbers through programs because the permission would be denied.


The post I was replying to was specifically referring to using a non-privileged port (2222).


Sorry, I misread your comment.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: