Why run SSH on a different port
Most servers require root access if you want to open ports lower than 1024.
The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feaure, in that if you connect to a service on one of these ports you can be fairly sure that you have the real thing, and not a fake which some hacker has put up for you.
What difference does it make running SSH from port 22 vs port 3389?
In order to bind to a port below 1024 (a privileged port) a process must have root access. By making it bind to 3389 root access is not required.
One of the reasons I've seen this done, is to reduce log spam from password scanners. Then if someone's trying to bruteforce passwords, you know it's a targeted attempt rather than a driveby.
By redirecting SSH to a non standard port - you are making a hacker's life more difficult - because they will not be 100% sure which port you are using to access your system.
Port 22 - is the default port as you are aware. But if you have altered this to a non-standard port... I now need to go and carry out a port-scan using Nmap or some other tool to try and detect where the ssh server is now listening - this increases the chances of your IDS (Intrusion Detection System) of detecting this type of malicious behaviour - and can allow you to start to take counter-measures (such as denying the target's IP address).
Whilst it is true that to CREATE a listening port below 1024 you need root access - the sshd (the ssh daemon [server]) will have been started at boot time, and that alone will not stop priv/non-priv users from accessing the ssh process.
Should you wish to stop ssh for root - and this is always a good thing to stop. Then the ssh.config (It changes a little in its name depending on the OS being used - look however in /etc/ssh/ )
The value that controls if a root account can log in is
This value and not the Port number - which by the way is configured using a value such as
Is how to restrict.
Ssh is a fantastic, flexible and secure communication mechanism - but only if understood and used correctly.
In general, there are two main reasons why someone might want to run SSH listening on a high port:
- Since it's not the "standard" port, random attempts to break in (botnets) are less likely to connect to it
- If the port number is over 1024, the SSH daemon has one less "root privilege" it needs to be trusted with
Furthermore, if a NAT device sits in front of several servers running SSH, it can't map port 22 to all of them, so in that case it might be configured, for example, to redirect external port 10022 to internal service 192.0.2.10:22 and external port 11022 to 192.0.2.11:22.
However, in the case of Kippo, what you're installing is an "SSH honeypot", a program that is supposed to look like an SSH command line on a usable system but actually responds slowly and does nothing useful. You want to run that both on the regular SSH port (22) as well as on a frequently-used high port (2222); actually it's easier to run it as a user on the high port and then use
iptables to redirect the low port to the high port on the same host. It's also possible to use netcat (
nc) or xinetd to set up a redirect.
In order for Kippo to listen on the low port (either directly or via a redirect), the regular system SSH daemon can't already be listening there. Furthermore, in order to make your honeypot more believable, you don't want the system daemon listening on another "common" open port.
From a security standpoint it would be most effective to roll dice to pick that alternate port, but RDP is unlikely to be listening on a typical Linux server, so if you already remember that port number it might be fun to work with. Other "interesting" choices might be something like 5190 (AOL) or 1214 (KaZAA).