North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: a record?

  • From: Eric Rescorla
  • Date: Fri Nov 18 10:22:44 2005

Matthew Sullivan <[email protected]> writes:

> John Levine wrote:
>>>>Moving sshd from port 22 to port 137, 138 or 139. Nasty eh?
>>>don't do that! Lots of (access) isps around the world (esp here in
>>>Europe) block those ports
>>If you're going to move sshd somewhere else, port 443 is a fine
>>choice.  Rarely blocked, rarely probed by ssh kiddies.  It's probed
>>all the time by malicious web spiders, but since you're not a web
>>server, you don't care.
> Except if you're running a version of OpenSSL that has a
> vulnerability, you could be inviting trouble - particularly with
> kiddies scanning for Apache with vulnerable versions of OpenSSL
> attached by way of mod_ssl etc...

It's worth noting that while OpenSSH uses OpenSSL for crypto, most of
the recent vulnerabilities in OpenSSL do not extend to OpenSSH,
because they're in the SSL state machine, not the crypto.