<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">
<br>
<br>
</div></div>Ah, SELinux again... Kinda' defeats the purpose these days, doesn't it?<br>
<div class="HOEnZb"><div class="h5"><br>
</div><div class="h5"><br></div></div></blockquote><div><br></div><div style>No it's doing exactly what it should be doing ... in a 'normal' usercase there's no need for SSH to be on a port other than TCP/22 and this prevents it ... if you need it on another port it's trivial to add on the new port with semanage to the rules...</div>
<div style><br></div><div style>But it's not a good idea to move SSH to a port over 1024 since it leaves you in a potentially vulnerable state in terms of attack surface. This is a key networking daemon that all credentials, data and commands goes over - as such it's ripe for use in a man in the middle attack to gain more information about a system. Only root can bind below 1024 so if SSH (or indeed other services too) have bound to a low port then it must have started life as a root owned process... an unprivileged user cannot bind to these ports at all.</div>
<div style><br></div><div style>If you configure SSH to bind to a port over 1024 then an attacker who achieves unprivileged access to the box (either an attack on a shell account or via another exploitable service such as httpd/php/etc) can use methods to force the process to crash and then bind their own process to that port to man in the middle login details, session information (such as root password) and so on ...</div>
<div style><br></div><div style>If you want SSH on a different port the better options are to pick a port below 1024 (and add that port to the sshd_t context via semanage) or to bind SSH to 22 and to use iptables to do a redirection internally from the high level port you want to the 22 that it is really listening on ... that way an unprivileged process/user cannot impersonate your SSH daemon and externally it's still visible on whichever port you prefer.</div>
</div><br></div></div>