Re: tightening ssh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/19/05, Claude Jones <claude_jones@xxxxxxxxxxxxxx> wrote:
> On Sat November 19 2005 8:07 am, Alejandro Flores wrote:
> > Hey,
> >
> > > I've been reading up, and talking up, various security strategies. One
> > > thing that is striking to me in looking at logs for my servers are the
> > > endless ssh probes that go on. It appears to be one of the most common.
> > > Up till recently, I had dealt with this by using firewall rules to allow
> > > ssh access only to selected ip addresses - to all others, the port
> > > appears closed (I checked this with port scans). Now, I must change
> > > strategies. I need to give access to an associate who gets his dsl ip
> > > address via dhcp, so it's always changing. I'm not quite ready to try
> > > port knocking, so, the other suggestion I read over and over is to
> > > provide ssh on a non-standard port. So, I throw this out to the
> > > collective experience - what's your take on that strategy? Won't simple
> > > scans reveal the existence of ssh access on a non-standard port? Is this
> > > really much protection? Is it merely a question of reducing odds?
> >
> > Here I use a combination of strategies:
> > - Run SSHD on a non-standard port
> > - Do not allow Root Logins
> > PermitRootLogins no
> > - Use AllowUsers to restrict which user can login
> > AllowUser user1 user2 user3@xxxxxxxxxxxxxxxxxx
> > - Use strong passwords
> > - Use a program to ask something to the user who logs in.
> >
> > Yes, a simple scan will reveal that you're running ssh on a
> > non-standard port, but you'll not be knocked by the automated bot
> > scans who use the default ssh port. These bot scans are responsible
> > for about to 99% of those attempts you're seeing.
> > After those changes I see no attempts on my logs anymore.
> >
> You and Leonard are confirming some things I've concluded, but, it reminds me
> of a second question I haven't really found an answer to. What port? Is it
> best to choose a high port, or pick one in the below 1024 range?
>

Most I have seen choose above 1024.  I personally avoid any that I
know are defaults for other security systems including the firwall
specific distros.

--
Leonard Isham, CISSP
Ostendo non ostento.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux