Ssh On Port 22 Is It Safe?

[co2shaun]

I was wondering if it would be secure to run ssh on port 22 on a ddwrt router. I'm using a key not a password for login. Right now i'm running it on port 2223 but I think i'm running into firewall issues at my university. I can't connect to my ssh server on port 2223 but I can connect to another on that is running on port 22. I'm wondering what port I should change to.

[Sitwon]

If password login is disabled then it's perfectly fine to run SSH on port 22.

[telot]

You can try any number of other ports - just make sure your firewall on your server side is port forwarding the appropriate ports. So you can either change the port on your server (/etc/ssh/sshd_config) or if your router/firewall supports it, you can do port mapping. For instance, I can map port 2020 to 22 on my server. So when I'm out in the world, I type ssh -p 2020 user@telotsawesomeserver.com and my router/firewall makes port 2020 from outside internet connect to port 22 on my inside intranet at my house. All this does is prevent script kiddies from attempting to brute force my server - security through obscurity.

telot

[co2shaun]

You can try any number of other ports - just make sure your firewall on your server side is port forwarding the appropriate ports. So you can either change the port on your server (/etc/ssh/sshd_config) or if your router/firewall supports it, you can do port mapping. For instance, I can map port 2020 to 22 on my server. So when I'm out in the world, I type ssh -p 2020 user@telotsawesomeserver.com and my router/firewall makes port 2020 from outside internet connect to port 22 on my inside intranet at my house. All this does is prevent script kiddies from attempting to brute force my server - security through obscurity.

telot

That's what I would do but when i'm at school I can't connect unless the server is running on port 22. It's something with their stuff because I ran on a different port for several years and never had a problem connecting.

If password login is disabled then it's perfectly fine to run SSH on port 22.

I'm using the key method to login. I just wanted to make sure that I had everything taken care of. I would rather run on a non-standard port but I'm not sure that is an option. Thanks for the info everyone.

Edited September 12, 2012 by co2shaun

[manouche]

I would have thought your "school" (-sounds funny to a Brit,- unless you are under 16!) is much less likely to block some other ports than 22 (after all that is practically saying its ok to tunnel out using ssh).

I am thinking explicitly of ports such as 443 which is the standard SSL/HTTPS port, -if they block that then no secure sites will work such as banking or library sites so thats highly unlikely. If you are running a pure ssh server rather than say OpenVPN which also uses SSL then that should be fine. You will probably still get a few bots knocking on that port but they will not be expecting SSH there! There is also always port 80 of course, providing you are not running a web server on your (Home?) server. Also have you checked that they are not using a proxy which is more common in large institutions. You can find out the details of the proxy simply by checking the internet connection settings on the browser on one of the institutions machines and use those details in putty to get out that way (I do that all the time to tunnel out of my "institution" -and no I am not being held at her majesties pleasure!)

[co2shaun]

I would have thought your "school" (-sounds funny to a Brit,- unless you are under 16!) is much less likely to block some other ports than 22 (after all that is practically saying its ok to tunnel out using ssh).

I am thinking explicitly of ports such as 443 which is the standard SSL/HTTPS port, -if they block that then no secure sites will work such as banking or library sites so thats highly unlikely. If you are running a pure ssh server rather than say OpenVPN which also uses SSL then that should be fine. You will probably still get a few bots knocking on that port but they will not be expecting SSH there! There is also always port 80 of course, providing you are not running a web server on your (Home?) server. Also have you checked that they are not using a proxy which is more common in large institutions. You can find out the details of the proxy simply by checking the internet connection settings on the browser on one of the institutions machines and use those details in putty to get out that way (I do that all the time to tunnel out of my "institution" -and no I am not being held at her majesties pleasure!)

The odd thing about it is that when I run on port 22 everything works great. Only time I can't connect is when I tried a none standard port. I guess they do like tunneling. I'm guessing that like you said 80 or 443 would work too. Could be using a proxy haven't really checked into it. School, university, and college are all used interchangeably where I'm from (Western Kansas very rural location in the states)

[badbass]

What ever port you choose do a netcat.

[TheGuyWithSticks]

Using port 22 is safe, as long as you've configured your router correctly. You said you're using keys, and not passwords, but make sure you're only using authorized keys, and not just any. To be extra safe, you want authorized keys only, plus passwords, but that's usually overkill unless you're paranoid or in a high risk environment.

As for using a different port other than 22, that's referred to as Security through obscurity. I was taught against it because of the basics. If your basics are flawed, no amount of secrecy will save you. And if your system is secure, secrecy won't help since you're good.

Edited September 19, 2012 by TheGuyWithSticks