On Fri, 31 Dec 2004 10:16:59 +0000, Tony Dietrich <td@xxxxxxxxxxxxxxxxxxxx> wrote: > >I agree with Ed Wilts that the best way is to block all sshd connections, then >open stealth ports for specific fixed IPs. > >Just opening an unusual port for sshd won't do the trick ... a port scanner >will find the hole in seconds, and if your systems have already been >attacked, then he'll come back for another look at some time - or one of his >friends will. > I use port 2222 on my system because I need to be able to access from my notebook, and it's location and IP change with every connection. It's not perfect security; that's why I also use AllowGroups to specify which userids can access via ssh and explicitly disallow root access. By the way, I like Guarddog as a visual iptables manager. -- Steve
