Hey, > I've been reading up, and talking up, various security strategies. One thing > that is striking to me in looking at logs for my servers are the endless ssh > probes that go on. It appears to be one of the most common. Up till recently, > I had dealt with this by using firewall rules to allow ssh access only to > selected ip addresses - to all others, the port appears closed (I checked > this with port scans). Now, I must change strategies. I need to give access > to an associate who gets his dsl ip address via dhcp, so it's always > changing. I'm not quite ready to try port knocking, so, the other suggestion > I read over and over is to provide ssh on a non-standard port. So, I throw > this out to the collective experience - what's your take on that strategy? > Won't simple scans reveal the existence of ssh access on a non-standard port? > Is this really much protection? Is it merely a question of reducing odds? Here I use a combination of strategies: - Run SSHD on a non-standard port - Do not allow Root Logins PermitRootLogins no - Use AllowUsers to restrict which user can login AllowUser user1 user2 user3@xxxxxxxxxxxxxxxxxx - Use strong passwords - Use a program to ask something to the user who logs in. Yes, a simple scan will reveal that you're running ssh on a non-standard port, but you'll not be knocked by the automated bot scans who use the default ssh port. These bot scans are responsible for about to 99% of those attempts you're seeing. After those changes I see no attempts on my logs anymore. -- Regards, Alejandro Flores http://www.triforsec.com.br/
