Due to the increase in ssh probes etc, I want to fully stealth my server in the first 1056 ports - which will give me a GRC thumbs-up.

My idea is to stealth port 22 to traffic outside but leave it open to the internal network. Then I want to add another port and open it up in the firewall.

My questions are:

Is this a workable or even worthwhile / good idea ?

If I use a port >2000 which is often assigned to other services (not that I use them) - what happens if this service on another PC tickles the port? Does ssh reply?

Is this likely to evade the ssh scanners or do they look for other open ports?

Thanks

Current nmap versions (since ~ 3.49) do application detection not simply port x = service y. So configuring sshd to listen on an alternative port will only fool older versions.

Also, you'd have to modify the remote ssh clients to connect to whatever port you decide to use rather than port 22.

Just keep your ssh server version up to date, keep your passwords secure and, if possible, restrict access to ssh by firewall (make it only accessible from certain hosts/networks).
Moving ssh service to other that usual port is not a security precausion.

Actually, intuitively this idea is not very good since it's quite easy to identify SSH on different ports by using automated tools, or even telnet. In practice it works fantastically well. I run port forwarding on several ports and IPs to sever different internal machines running SSH, and I haven't had ONE automated login attempt yet! This despite the fact that I have 3 static IPs and several published domain names pointing to them, as well as public HTTP and SMTP access.

Security through obscurity is a bad idea, but some times it's quite effective. Just remember not to rely on it as your only defense. Keep up to date with security patches, maintain strong passwords (or disable password auth entirely for SSH), etc...

As for how to do it, the easiest way to to have your machine listen on the internal network on the default port 22, but have your firewall redirect some high-order port to it. You can also play around with /etc/ssh/sshd_config to change the port numbers if that box is directly connected to the Internet (not behind a firewall).

Thanks for the advice.

Chort - I like the fact that you haven't had one automated attempt.

I have been reasonably careful. I have disabled root login and only assigned one user ssh access.

Principally my idea was to avoid the automated scan which then leads to the various attempts. I had someone trying solidly for 20 mins the other day, which provided a nice list of names that were considered possible users (john, david, stephen ........etc)

Will try it. Most likely to use sshd_config Ports option. Tried it briefly so I know it works (ie internal net on 22 and outside not).

I have wondered (and it probably exists but I'm not experienced enough to have tried it/heard of it) if it is possible to have a service like ssh listening but only replying when it gets a specific packet of data. Then it would reply and go through the whole logging in process. It would mean that the port was effectively stealthed until you opened it with a pre-defined key. Make scanning difficult.

Yes, you're talking about "port knocking". There's a lot of information available about it now, check Google.

There is one more posibilities.. We can configure port forward. In can write the rule in ipchanis/iptables . What are the request comes for port 22 will redirect to some other port like 1030.

Note :
1. we have to modify the port number in /etc/ports file.
2. Write the rule in ipchains/iptables to forward the request for port 22 to request 1030. So we can avoid the hacking.

Best Regars
Yuvaraj.K
yuva_mca@yahoo.com

Thanks Chort

Looked it up - looks interesting.

yuva_mca, unless I'm seriously misunderstanding what you wrote, your solution does not protect anything at all. The port scans are for port 22/tcp. If you simply take that port on your firewall and forward it to some other port internall, the port scans will be forwarded as well. Changing the port number in /etc/services will have absolutely no effect at all in this case.

Am I missing something?

Edit: I just realized you might have interpreted when I said "port forwarding" as "SSH port forwarding", i.e. You thought I was talking about using SSH to forward ports rather than using the firewall. When I said "port forwarding" I meant "the firewall packet filter forwards external port 29384 to an internal host on port 22".