ssh on other ports

[CrucialCarl]

So.. I have a typical boring desk job. I sit here nearly all day and have hardly anything to keep me occupied. I rely on forums and news pages to entertain me. Up until recently, I had a ssh connection to my home computer where i could run AIM, ICQ and IRC.

Somebody was snooping around and asked our facility manager about the 'outside connection' coming from our building. He didnt know, but to be safe, i'm avoiding opening my shell today.

The question is, I am planning on changing my ssh configuration to run on port 80 (currently 22), or something less suspicious. Are there any downsides to this, and what is the best port to use?

 

[n0cmonkey]

There shouldn't be any downside to doing so, other than possibly getting in trouble for using it. Don't use it if you aren't supposed to.

 

[cmetz]

CrucialCarl, if some admin has the technical capability to see what TCP port you're using, they probably have the techncial capability to inspect the payload and will be able to figure out what you're doing quickly. If your employer's policy would forbid you from doing what you're doing, don't do it.

If this is just an admin being fascist, then why change? Just make sure your boss will smack 'em.

Of course, most admins who are clueful enough to sniff & inspect app data to find out what people are doing are also clueful enough not to care too much about users using SSH.

 

[eigen]

Exactly how would the admin inspect the payload on a ssh connection?

 

[cmetz]

eigen, your favorite sniffer, ethereal, tcpdump, etc. There are also hardware boxes that do intelligent L7 classification, and I would assume some of the commercial sniffers do that too. Obviously they cannot see the session's plaintext, but they can see enough to identify with assurance that the protocol in use is SSH - that much is NOT hidden. Telnet to an ssh server on its port and see for yourself - the greeting banner is something like this:

SSH-2.0-OpenSSH_3.7.1p2

Even without digging in much, if a sysadmin with a clue is wondering what you're running, he can telnet to the server's port by hand, get this banner, and know what's up. Similarly, it'll be in the first data payload back from the server on a new TCP connection, conveniently at the beginning of what your sniffer would have recorded for the session.

 

[n0cmonkey]

Originally posted by: eigen
Exactly how would the admin inspect the payload on a ssh connection?

MITM.

 

[buleyb]

Originally posted by: eigen
Exactly how would the admin inspect the payload on a ssh connection?

pretty much said already, but you don't need to inspect the data being encrypted to get an idea whats going on.

and Carl, if you are bored enough to toss work ethic aside, tell your manager or bring a book, all this is regardless to the fact that you know you aren't supposed to be doing it, but you still do. People like you are the reason corporate usage policies became so necessary.