On Sat November 19 2005 8:07 am, Alejandro Flores wrote: > Hey, > > > I've been reading up, and talking up, various security strategies. One > > thing that is striking to me in looking at logs for my servers are the > > endless ssh probes that go on. It appears to be one of the most common. > > Up till recently, I had dealt with this by using firewall rules to allow > > ssh access only to selected ip addresses - to all others, the port > > appears closed (I checked this with port scans). Now, I must change > > strategies. I need to give access to an associate who gets his dsl ip > > address via dhcp, so it's always changing. I'm not quite ready to try > > port knocking, so, the other suggestion I read over and over is to > > provide ssh on a non-standard port. So, I throw this out to the > > collective experience - what's your take on that strategy? Won't simple > > scans reveal the existence of ssh access on a non-standard port? Is this > > really much protection? Is it merely a question of reducing odds? > > Here I use a combination of strategies: > - Run SSHD on a non-standard port > - Do not allow Root Logins > PermitRootLogins no > - Use AllowUsers to restrict which user can login > AllowUser user1 user2 user3@xxxxxxxxxxxxxxxxxx > - Use strong passwords > - Use a program to ask something to the user who logs in. > > Yes, a simple scan will reveal that you're running ssh on a > non-standard port, but you'll not be knocked by the automated bot > scans who use the default ssh port. These bot scans are responsible > for about to 99% of those attempts you're seeing. > After those changes I see no attempts on my logs anymore. > You and Leonard are confirming some things I've concluded, but, it reminds me of a second question I haven't really found an answer to. What port? Is it best to choose a high port, or pick one in the below 1024 range? -- Claude Jones Bluemont, VA, USA
