At 7:47 AM -0500 11/19/05, Claude Jones wrote: >I've been reading up, and talking up, various security strategies. One thing >that is striking to me in looking at logs for my servers are the endless ssh >probes that go on. It appears to be one of the most common. Up till recently, >I had dealt with this by using firewall rules to allow ssh access only to >selected ip addresses - to all others, the port appears closed (I checked >this with port scans). Now, I must change strategies. I need to give access >to an associate who gets his dsl ip address via dhcp, so it's always >changing. I'm not quite ready to try port knocking, so, the other suggestion >I read over and over is to provide ssh on a non-standard port. So, I throw >this out to the collective experience - what's your take on that strategy? >Won't simple scans reveal the existence of ssh access on a non-standard port? >Is this really much protection? Is it merely a question of reducing odds? Disclaimer: I haven't set up SSH myself; this is from reading this list, reading the ssh man page, and general knowledge. Port obscurity is not much of a strategy. Maybe the current scripts don't try other ports, but it would be simple enough to add a port scan and then probe all open ports. Expect it. I suggest one of the secure ways to set up SSH: public key pair or encrypted passwords. And only allow SSH 2. Public key should be simple /enough/ to set up; your user would need to make a key with GPG and put the private key in the right place (I think man ssh tells where) and give you the public key to put in the right place. With strong authentication, you don't need to care about probes anymore. Just ignore them. ____________________________________________________________________ TonyN.:' <mailto:tonynelson@xxxxxxxxxxxxxxxxx> ' <http://www.georgeanelson.com/>