Feature #6414
closed
SSHD listening on multiple ports
0%
Description
Like it can be done on the sshd.conf allow multiples ports for SSHD listening socket.
Updated by Ben L over 5 years ago
One use case for this is exposing ssh on the WAN on a non-standard high port so as to minimise exposure to random drive-by port scanning and access attempts that pollute logs, yet also have ssh listening on the standard port 22 for ready access from inside clients.
Updated by Jim Pingle over 5 years ago
- Status changed from New to Rejected
Never expose SSH to WAN. Security by obscurity is not obscurity.
And if you use key-only auth, the rest doesn't matter.
Plus there is zero need to actually bind on multiple ports. Just make a port forward from the port you want to use to 127.0.0.1:22.
Updated by Ben L over 5 years ago
Jim Pingle wrote:
Never expose SSH to WAN. Security by obscurity is not obscurity.
The purpose of this is to weed out noise in logs/etc. This has tangible security benefits - if someone hits 22, I can't tell then from the million others trying, it's pointless logging anything. If someone hits my bespoke high port I know they're at least slightly more serious and/or have access to some internal documentation. Nothing to do with attempting to "hide" the port. There's a reason the ssh server supports multiple port options.
Plus there is zero need to actually bind on multiple ports. Just make a port forward from the port you want to use to 127.0.0.1:22.
Sure, but port-forwarding is more complex to set up and use (i.e. remembering which interface you're coming in on) than the simple multiple ports that openssh already provides.
Updated by Jim Pingle over 5 years ago
You can port forward now in a handful of clicks, it's simple and not at all complicated. Listening on multiple ports would take a lot of extra code and GUI work to add the option, plus be more obscure.
If a port forward is "complex" then the admin doesn't need to be opening up multiple SSH ports.