nanog mailing list archives

Re: a record?

From: Eric Rescorla <ekr () rtfm com>
Date: Fri, 18 Nov 2005 07:28:12 -0800


Matthew Sullivan <matthew () sorbs net> writes:

John Levine wrote:

Moving sshd from port 22 to port 137, 138 or 139. Nasty eh?

don't do that! Lots of (access) isps around the world (esp here in
Europe) block those ports


If you're going to move sshd somewhere else, port 443 is a fine
choice.  Rarely blocked, rarely probed by ssh kiddies.  It's probed
all the time by malicious web spiders, but since you're not a web
server, you don't care.


Except if you're running a version of OpenSSL that has a
vulnerability, you could be inviting trouble - particularly with
kiddies scanning for Apache with vulnerable versions of OpenSSL
attached by way of mod_ssl etc...


It's worth noting that while OpenSSH uses OpenSSL for crypto, most of
the recent vulnerabilities in OpenSSL do not extend to OpenSSH,
because they're in the SSL state machine, not the crypto.

-Ekr

Current thread:

Re: a record?, (continued)
- - - Re: a record? Rob Thomas (Nov 14)
    - Re: a record? Randy Bush (Nov 14)
    - Re: a record? Dan Hollis (Nov 14)
  - Re: a record? Randy Bush (Nov 14)
- Re: a record? Peter Dambier (Nov 14)
  - Re: a record? william(at)elan.net (Nov 14)
    - Re: a record? Matthew Sullivan (Nov 14)
  - Re: a record? Frank Louwers (Nov 15)
    - Re: a record? John Levine (Nov 15)
    - Re: a record? Matthew Sullivan (Nov 18)
    - Re: a record? Eric Rescorla (Nov 18)
- RE: a record? Church, Chuck (Nov 15)
  - Re: a record? Patrick W. Gilmore (Nov 15)
    - Re: a record? Alexei Roudnev (Nov 19)
    - Re: a record? Austin McKinley (Nov 19)
    - Re: a record? Suresh Ramasubramanian (Nov 19)
    - Re: a record? Alexei Roudnev (Nov 19)
    - Re: a record? Suresh Ramasubramanian (Nov 19)
    - Re: a record? Sean Donelan (Nov 19)
    - Re: a record? Elmar K. Bins (Nov 20)
    - Re: a record? Patrick W. Gilmore (Nov 20)

(Thread continues...)