I have seen advice saying you should use different port numbers for private applications (e.g. intranet, private database, anything that no outsider will use).
I am not entirely convinced that can improve security because
Did I miss something or have I answered my own question?
It doesn't provide any serious defense against a targetted attack. If your server is being targetted then, as you say, they will port scan you and find out where your doors are.
However, moving SSH off the default port of 22 will deter some of the non-targetted and amateur script kiddie type attacks. These are relatively unsophisticated users who are using scripts to port scan large blocks of IP addresses at a time specifically to see if port 22 is open and when they find one, they will launch some sort of attack on it (brute force, dictionary attack, etc). If your machine is in that block of IPs being scanned and it is not running SSH on port 22 then it will not respond and therefore will not show up in the list of machines for this script kiddie to attack. Ergo, there is some low-level security provided but only for this type of opportunistic attack.
By way of example, if you have the time - log dive on your server (assuming SSH is on port 22) and pull out all the unique failed SSH attempts that you can. Then move SSH off that port, wait some time, and go log diving again. You will undoubtedly find less attacks.
I used to run Fail2Ban on a public webserver and it was really, really obvious when I moved SSH off port 22. It cut the opportunistic attacks by orders of magnitude.
It's very helpful to keep the logs clean.
If you see failed attempts with sshd running on port 33201 you can safely assume that the person is targeting you and you have the option of taking the appropriate action if you so desire.. Such as contacting the authorities, investigating who this person may be (by cross referencing with the IPs of your registered users or whatever), etc.
If you use the default port then it will be impossible to know if someone is attacking you or it's just random idiots doing random scans.
No, it doesn't. Not really. The term for this is Security by Obscurity and it's not a reliable practice. You are correct in both of your points.
Security by Obscurity at best will deter the casual attempts that just go around looking for default ports knowing that at some point they will find someone who left the front door open. However, if there is ever any serious threat that you face changing the deault port will at most slow the initial attack down, but only ever so marginally because of what you've already pointed out.
Do yourself a favor and leave your ports configured properly, but take the proper precautions of locking them down with a proper firewall, authorizations, ACL's, etc.
It's a slight level of obscurity, but not a significant speed-bump on the road to hackage. It's a harder config to support long-term since everything that talks to that particular service has to be told about the different port.
Once upon a time it was a good idea in order to avoid network worms, since those tended to scan just one port. However, the time of the rapidly multiplying worm is now past.
As others have pointed out, changing the port number does not offer you much security.
I'd like to add that changing the port number may actually be detrimental to your security.
Imagine the following simplified scenario. A cracker scans 100 hosts. Ninety-nine of these hosts have services available on these standard ports:
Port Service
22 SSH
80 HTTP
443 HTTPS
But then there is one host which stands out from the crowd, because they the system owner tried to obfuscate their services.
Port Service
2222 SSH
10080 HTTP
10443 HTTPS
Now, this might be interesting to a cracker, because the scan suggests two things:
If you were a cracker, would you choose to take a look at one of the 99 hosts running standard services on standard ports, or this one host which is using port obfuscation?
I'm going to go against the general trend, at least partially.
On it's own, changing to a different port might gain you a couple of seconds while it's searched for, hence gaining you nothing in real terms. However, if you combine the use of non-standard ports together with anti-portscan measures it can give a really worthwhile increase in security.
Here's the situation as it applies to my systems: Non-public services are run on non-standard ports. Any connection attempt to more than two ports from a single source address, whther successful or not, within a specified amount of time results in all traffic from that source being dropped.
To beat this system would require either luck (hitting the right port before getting blocked) or a distributed scan, which triggers other measures, or a very long time, which would also be noticed and acted on.
In my opinion moving the port that an application runs on does not increase security at all - simply for the reason that the same application is running (with the same strengths and weaknesses) just on a different port. If your application has a weakness moving the port that it listens on to a different port doesn't address the weakness. Worse it actively encourages you to NOT address the weakness because now it is not being hammered on constantly by automated scanning. It hides the real problem which is the problem that should actually be solved.
Some examples:
The real issue is administrative: People expect SSH to be at 22, MSSQL to be at 1433 and so on. Moving these around is one more layer of complexity and required documentation. It's very annoying to sit down at a network and have to use nmap just to figure out where things have been moved. The additions to security are ephemeral at best and the downsides are not insignificant. Don't do it. Fix the real problem.
You are correct that it will not bring much security (as the TCP server port range has only 16 bits of entropy), but you may do it for two other reasons:
Remark: I am not saying that you should change the server port. I am just describing reasonable reasons (IMO) to change the port number.
If you do that, I think that you need to make it clear to every other admin or user that this should not be considered a security feature, and that the port number used is not even a secret, and that describing this as a security feature that brings real security is not considered acceptable behaviour.
I can see one hypothetical situation where there would be a potential security benefit in running your sshd on alternate port. That would be in the scenario where a trivially exploited remote vulnerability is discovered in the sshd software you are running. In such a scenario running your sshd on an alternative port might give you just the extra time you need not to be a random drive-by target.
Myself I do run the sshd on an alternative port on my private machines, but that is mainly as a convenience to keep down the clutter in /var/log/auth.log. On a multi-user system I really don't consider the small hypothetical security benefit presented above to be enough reason for the extra hassle caused by the sshd not being found on the standard part.
It slightly increases security. In that the attacker having found the open port now has to work out whats running on the port. Not having access to your config files (yet :-) )he has no idea whether port 12345 is running http, sshd, or one of a thousand other common services so they need to do extra work to figure out whats running before they can seriously attack it.
Also as other poster pointed out whereas attempts to log into port 22, could be clueless script kiddies, zombie trojans or even genuine users who mistyped an IP address. An attempt to log into port 12345 is almost certain to be either a genuine user or a serious attacker.
Another strategy is to have a few "honey trap" ports. As no genuine user would know about these port numbers then any connection attempt must be considered malicious and you can block/report the offending IP address automatically.
There is a special case where using a different port number will definitely make your system more secure. If your network is running a public service such as a Web Server but also running an internal use only web server, you can absolutely block any external access by running on a different port number and blocking any external access from this port.
From experience, yes.
I'd say it's a good thing to do, it's a shield against automatic (usually Russian and Chinese) brute force attacks, which are extremely common and attack randomly. Once you change the ports, you don't have to worry about those bots again.
If you're concerned about a real threat, and you are their target, then it's definitely not enough.
Not by itself. However, not using the default port for a particular application (say, SQL Server) will basically force your attacker to scan your ports; this behavior can then be detected by your firewall or other monitoring metrics, and the attacker's IP blocked. Also, the average "script kiddie" will more likely be deterred when the simple tool or command script they're using doesn't find a SQL server instance on your machine (because the tool only checks the default port).
