8

I just set up remote ssh for the first time with openssh.

I was able to ssh into my server with putty using the following three settings:

  1. /etc/init.d/ssh restart

    # What ports, IPs and protocols we listen for
Port 1234

  2. dd-wrt network control panel (192.168.1.1 into the url of the browser)

    Application----Port From----Protocol----IP Address----Port to----Enable

    myssh----------1234----------TCP---------192.168.1.x---1234-------yes

  3. putty

    Host name (or IP address)----Port

    w.x.y.z-----------------------------1234

Is there a reason I should use port 22 instead of 1234?

user784637
  • 1,632

6 Answers6

8

First, well-known port numbers are "well-known". They eliminate some guess-work as to what port a given service is listening on.

Second, ports 1024 and below can only be opened by root. This gives an additional level of "trust" to these services. I.E., the service I'm connecting to on port 22 must be running (or have been started) as root. If a service is running on 1234, it could be any user that has access to the box that opened and started a "program-that-acts-like-SSHD-but-intercepts-passwords" program. (This assumes that there is no NAT or other redirections in place - see mmi's answer.)

Also agreed with a point made by mmi - I wouldn't unnecessarily run a program as root just to obtain the desired port number. If a program running as root were to be compromised, the entire system is then compromised. However, if a program is already running as root for other needs, may as well use the proper port number.

Some people will advise against using the well-known ports in an effort to "hide" common services that might be used for exploit attempts, but I consider this to be only "security by obscurity" - and advise against doing such.

ziesemer
  • 1,063
6

It basically depends on how much you want to hide that service.

People (and bots scanning for security vulnerabilities) will assume SSH is running on port 22, HTTP is running on port 80, and so on. If a service is running on a non-standard port, it will be less easy to detect, but it will be more difficult to use for legitimate users.

  • HTTP running on port 80:
    • You can reach it using http://servername
    • It will be easily reachable by anyone pointing a web browser to it
  • HTTP running on port 8042:
    • You will need to type http://servername:8042 to reach it
    • It will not be easily detected as a web server

  • SSH running on port 22:
    • You can reach it by telling Putty (or any similar program) to connect to your server's hostname or IP address
    • It will be easily reachable by anyone pointing a SSH client to it
  • SSH running on port 2242:
    • You will need to tell your SSH client to use that custom port
    • It will not be easily detected as a SSH server

And so on...

Massimo
  • 72,827
3

You can use any port you like. Use of port 22 for ssh is conventional, and you'll find many firewalls, ssh clients and daemons default to this for convenience.

The better question should be "why shouldn't I use port 22?". There's some debatable security benefits to doing so, but I've never personally been convinced by them.

growse
  • 8,185
3

I disagree at some point with ziesemer: These programs do NOT have necessarily to be run by root. And it is NOT recommended to run any network related service as root unless you need to do so. When someone is able to exploit your service he or she will gain root rights.

Besides, a NAT can translate port 80 from outside to any port in the LAN. Therefore you can run a service as non-root.

The main advantage of well-known ports (especially port 80): They are usually not blocked by firewalls (port filters). If you try to access your server from school it may fail, depending on the school's router configuration.

mmi
  • 31
1

Is there a reason I should use port 22 instead of 1234?

Because that's where the other 99% of SSH services listen and people will expect it to be so. Convention isn't a hard and fast rule but you'll find that most administrators expect to see SSH on port 22, HTTP on port 80 and so on. Unless you have a very good reason to deviate from the established convention - I suggest you don't.

Nine times out of ten, some one much smarter than you (or I) picked the default settings for a good reason and unless you have a better one why change it?

(It's really annoying to have to spend your first day on the job nmap-ing everything to try to figure out which "non-conventional" ports the previous admin/consultant/BOFH decided to run everything on).

1

There's a good reason to use 22 for ssh, avoid the necessity to learn how to configure or additional parameters to use in several clients, ssh, scp, git, rsync etc. And also avoid to change premade scripts written to assume the default port.

There's always subjective security gains changing a default port, but I think that should exist a good and uncircumventable reason to change a default behaviour.

theist
  • 1,269