On 11/19/05, Claude Jones <claude_jones@xxxxxxxxxxxxxx> wrote: > On Sat November 19 2005 8:07 am, Alejandro Flores wrote: > > Hey, > > > > > I've been reading up, and talking up, various security strategies. One > > > thing that is striking to me in looking at logs for my servers are the > > > endless ssh probes that go on. It appears to be one of the most common. > > > Up till recently, I had dealt with this by using firewall rules to allow > > > ssh access only to selected ip addresses - to all others, the port > > > appears closed (I checked this with port scans). Now, I must change > > > strategies. I need to give access to an associate who gets his dsl ip > > > address via dhcp, so it's always changing. I'm not quite ready to try > > > port knocking, so, the other suggestion I read over and over is to > > > provide ssh on a non-standard port. So, I throw this out to the > > > collective experience - what's your take on that strategy? Won't simple > > > scans reveal the existence of ssh access on a non-standard port? Is this > > > really much protection? Is it merely a question of reducing odds? > > > > Here I use a combination of strategies: > > - Run SSHD on a non-standard port > > - Do not allow Root Logins > > PermitRootLogins no > > - Use AllowUsers to restrict which user can login > > AllowUser user1 user2 user3@xxxxxxxxxxxxxxxxxx > > - Use strong passwords > > - Use a program to ask something to the user who logs in. > > > > Yes, a simple scan will reveal that you're running ssh on a > > non-standard port, but you'll not be knocked by the automated bot > > scans who use the default ssh port. These bot scans are responsible > > for about to 99% of those attempts you're seeing. > > After those changes I see no attempts on my logs anymore. > > > You and Leonard are confirming some things I've concluded, but, it reminds me > of a second question I haven't really found an answer to. What port? Is it > best to choose a high port, or pick one in the below 1024 range? > Most I have seen choose above 1024. I personally avoid any that I know are defaults for other security systems including the firwall specific distros. -- Leonard Isham, CISSP Ostendo non ostento.
