Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: The argument for moving SSH off port 22 - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The argument for moving SSH off port 22
I regard moving of TCP/22 as being deprecated.

Do you do the same with HTTP (TCP/80)? Forsure the answer is: NO.

Whatever port you use, it will be found.
And it will be tested, too.

Here from our netflows:

---------------------------------------------
( host 222.186.21.202 )
Top 10 Dst Port ordered by flows:
Date first seen Duration Proto Dst Port Flows(%) Packets(%) Bytes(%) pps bps bpp
2015-02-16 06:20:36.974 358827.439 any 22223 102856(14.3) 102856(14.3) 4.7 M(14.3) 0 105 46
2015-02-16 06:20:36.974 358825.939 any 32222 102855(14.3) 102855(14.3) 4.7 M(14.3) 0 105 46
2015-02-16 06:20:36.974 358839.301 any 11022 102848(14.3) 102848(14.3) 4.7 M(14.3) 0 105 46
2015-02-16 06:20:51.974 358828.189 any 42222 102848(14.3) 102848(14.3) 4.7 M(14.3) 0 105 46
2015-02-16 06:20:30.724 358833.689 any 22022 102847(14.3) 102852(14.3) 4.7 M(14.3) 0 105 46
2015-02-16 06:20:57.974 358828.689 any 22033 102846(14.3) 102846(14.3) 4.7 M(14.3) 0 105 46
2015-02-16 06:21:22.974 358851.301 any 33022 100645(14.0) 100645(14.0) 4.6 M(14.0) 0 103 46
2015-02-20 09:34:59.264 0.250 any 2423 1( 0.0) 1( 0.0) 46( 0.0) 4 1472 46
2015-02-16 06:24:01.974 0.250 any 2435 1( 0.0) 1( 0.0) 46( 0.0) 4 1472 46
2015-02-16 06:24:00.974 0.250 any 2434 1( 0.0) 1( 0.0) 46( 0.0) 4 1472 46

Summary: total flows: 717769, total bytes: 33017656, total packets: 717775, avg bps: 735, avg pps: 1, avg bpp: 46
Time window: 2015-02-16 06:02:11 - 2015-02-20 10:04:58
---------------------------------------------

It's much better to use a well-known blacklist, e.g.

https://rules.emergingthreats.net/blockrules/compromised-ips.txt

updated daily if you want to reduce the noise.

For me, moving SSH away from TCP/22 is *DOOMED*.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!