[86842] in North American Network Operators' Group
Re: a record?
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Fri Nov 18 10:21:48 2005
To: Matthew Sullivan <matthew@sorbs.net>
Cc: nanog@nanog.org
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 18 Nov 2005 07:28:12 -0800
In-Reply-To: <437DAC56.30904@sorbs.net> (Matthew Sullivan's message of "Fri,
18 Nov 2005 21:26:30 +1100")
Errors-To: owner-nanog@merit.edu
Matthew Sullivan <matthew@sorbs.net> writes:
> John Levine wrote:
>
>>>>Moving sshd from port 22 to port 137, 138 or 139. Nasty eh?
>>>>
>>>don't do that! Lots of (access) isps around the world (esp here in
>>>Europe) block those ports
>>>
>>
>>If you're going to move sshd somewhere else, port 443 is a fine
>>choice. Rarely blocked, rarely probed by ssh kiddies. It's probed
>>all the time by malicious web spiders, but since you're not a web
>>server, you don't care.
>>
>
> Except if you're running a version of OpenSSL that has a
> vulnerability, you could be inviting trouble - particularly with
> kiddies scanning for Apache with vulnerable versions of OpenSSL
> attached by way of mod_ssl etc...
It's worth noting that while OpenSSH uses OpenSSL for crypto, most of
the recent vulnerabilities in OpenSSL do not extend to OpenSSH,
because they're in the SSL state machine, not the crypto.
-Ekr
