and i forgot: what if my router redirect any port to my computer's port 22 ? this can be a non priviledge port
if only i have access to the router settings ... On Wed, Jul 23, 2014 at 11:44 AM, Erez D <erez0...@gmail.com> wrote: > 1. only refer to non-privileged ports > 2. btw, ssh will warn you if the server cert changes, so if someone > takes the port for it's ssh server, you will know > > i'll still stick with a non standard privileged port. > > On Tue, Jul 22, 2014 at 3:47 PM, Guy Gold <guy1g...@gmail.com> wrote: >> >>>>>> >>>>>> On 22 July 2014 00:52, Guy Gold <guy1g...@gmail.com> wrote: >>>>>>> >>>>>>> Hi Erez, >>>>>>> >>>>>>> On Mon, Jul 21, 2014 at 4:18 AM, Erez D <erez0...@gmail.com> wrote: >>>>>>>> >>>>>>>> >>>>>>>> it is not even a dynamic ip, it is a private ip behind a dynamic one >>>>>>> >>>>>>> >>>>>>> Then, what Eliyahu wrote should serve you a perfect solution. >> >> >> Although this can become a flame-war :) >> >> Source: >> https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/ >> >> ==Begin quote == >> >> But there are more reasons why this is a bad idea and one of the most >> important reason has to do with a bit of the (Linux) way of handling TCP/IP >> ports. When you are logged onto a system as a non-root user (anyone not >> being uid 0), you cannot create a listing TCP or UDP port below 1024. This >> is because port numbers below 1024 are so-called privileged ports and can >> only be opened by root or processes that are running as root. So for >> instance, when your webserver (apache, nginx etc) will start, it will do so >> as the privileged root user in order to open up a listening connection to >> port 80 (the port that by default will be used for HTTP traffic). Now, as >> soon as the port is opened and everything that needs to be done as root is >> done, the webserver will fall back to a non-privileged user (either the >> www-data, apache, or nobody user). From that point, when something bad is >> happening, it is only limited to the rights that that user has. >> >> Now, back to SSH: when we start SSH on port 22, we know for a fact that this >> is done by root or a root-process since no other user could possibly open >> that port. But what happens when we move SSH to port 2222? This port can be >> opened without a privileged account, which means I can write a simple script >> that listens to port 2222 and mimics SSH in order to capture your passwords. >> And this can easily be done with simple tools commonly available on every >> linux system/server. So running SSH on a non-privileged port makes it >> potentially LESS secure, not MORE. You have no way of knowing if you are >> talking to the real SSH server or not. This reason, and this reason alone >> makes it that you should NEVER EVER use a non-privileged port for running >> your SSH server. >> >> ==End quote== >> >> Reading the whole page is recommended. >> >> Though, some of Joshua Thijssen's points can be argued against (not by >> myself, but I'm sure some folks can find some caveats in his article). I >> tend to agree with what he points out. >> >> I do acknowledge that SBO (security by...) divides quite a bit sysadmins >> apart. Some live by it, and some, well, ridicule it, and for them, seeing >> another sysadmin use such method is a tell sign of anachronism. The beauty >> is that we can all choose, and what is important is being informed. >> >> -- >> Guy Gold >> >> _______________________________________________ >> Linux-il mailing list >> Linux-il@cs.huji.ac.il >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >> _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il