3

I am using cPanel on Centos 7.7 and I am a bit confused about this note in the documentation:

We recommend that you use a privileged port of 1 - 1023 that another service does not currently use. Only the root user can bind to ports 1 - 1023. Anyone can use the unprivileged ports of 1024 and greater.

I am not certain what this statement implies - SSH defaults to port 22. But the recommendation is to change the port to something else.

Port 22 is already privileged, but what's the difference if I change it to 483 vs. 2022 in regards to the above note? Regardless of what port I change it to, anyone can still SSH to that port.

Improve this question
2
  • Where in the recommendation does it say that SSH should not be run on port 22? Commented Apr 27, 2020 at 13:49
  • @Kusalananda - I read it in a section related to securing the server. My assumption is that if you make it a non-standard port its makes it a bit more challenging for hackers. But thats off topic of my question in the OP. docs.cpanel.net/knowledge-base/security/how-to-secure-ssh/… (Port) Commented Apr 27, 2020 at 14:27

1 Answer 1

Reset to default
2

I am not certain what this statement implies - SSH defaults to port 22. But the recommendation is to change the port to something else.

I don't read it like that - they just say that you are free to change port that SSH daemon is listening on.

Port 22 is already privileged

Yes, it is.

but what's the difference if I change it to 483 vs. 2022

Almost none, except that all SSH clients that I know - OpenSSH, Putty, dbclient will try to use port 22 by default so you will have to provide a port number manually when connecting to a host using a non-standard port but as you can save port number in a config it's a one-time job. And from a practical standpoint, some people prefer setting SSH daemon to listen on port 80 or 443 to pretend HTTP or HTTPS respectively so that SSH connections will not be blocked by overzealous firewalls in hotels, airports etc.

in regards to the above note? Regardless of what port I change it to, anyone can still SSH to that port.

I think that by Anyone can use the unprivileged ports of 1024 and greater. they meant that local non-root users can use non-privileged ports for their services. It's not about connecting to the services listening on a given port from outside, it's about directing local services to use that port. As to why do they recommend using a privileged port for SSH service - the reason is that:

The TCP/IP port numbers below 1024 are special in that normal users are not allowed to run servers on them. This is a security feaure, in that if you connect to a service on one of these ports you are fairly sure that you have the real thing, and not a fake which some hacker has put up for you.

(from http://info.cern.ch/hypertext/WWW/Daemon/User/PrivilegedPorts.html)

To expand on it further - as discussed in these comments on ServerFault:

It is precisely the reason you shouldn't run privileged daemons on ports above 1023. Any user (local or remote) can DDoS it until it crashes, then a local user (i.e. PHP, Apache, MySQL, anything that has a remote execution vulnerability) can start its own daemon on the same port and then wait for you to connect.

Improve this answer
1
  • ahhh! Thanks. Its about port assignment to a service, not about connecting a client session to that port. I read it several times and kept thinking it was talking about client sessions to that port. Commented Apr 27, 2020 at 14:45

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.