In a Reddit thread on securing SSH access to a Raspberry Pi, one commenter recommended running SSH on a non-standard port of 8123.
Another commenter had this to say on the matter:
Don't change your SSH listening port to anything >1024. An unprivileged rogue process can wait for the SSH daemon to terminate and establish a listening socket on that port. Ports <1024 are reserved to processes running as root.
I personally do not feel this is a significant risk with SSH as:
- The rogue process cannot access the host keys, so would present a different fingerprint to the user when connecting, alerting them to an issue.
- If key based authentication is in use, little can be gained from intercepting communications.
However, not all protocols have this functionality. For example, web proxies running on port 8080 or 3128 generally have no authentication.
How significant is the risk of running on a port number > 1024?