On Wed, 2005-11-23 at 09:00 -0800, John Wendel wrote: > Mike Klinke wrote: > > On Wednesday 23 November 2005 02:00, Vijay Gill wrote: > > > > > >>Recently I started using key based authentication and disabled > >>passwords in /etc/ssh/sshd_conf My question is, is it safe to > >>open the port 22 in my iptables firewall script? > > > > > > There's no black and white answer to that. On a scale of 1 to 10 > > you might want to assign numbers as follows: > > > > 1 = unsafe > > 3 = password authentication enabled > > 6 = key based authentication only > > 7 = allowing only certain IP address to access > > 10 = no access allowed to anyone > > > > Some people are perfectly comfortable using strong passwords and > > will consider anything over a '2' to be "safe". Others would only > > consider "safe" to be something at '7' or better and I'm certain > > you'll hear that '10' is the only sure defense. > > > > Regards, Mike Klinke > > > > > I use a different port number (like 12322) and change it frequently. > Makes it a little harder for the port scanners to find you. > Be careful how you state things. Using a different port makes it harder for the script kiddies to find you since their scripts are usually not flexible. Port scanning can still find you within seconds (it scans many ports, not just the one usually used for a specific service.) With that said, yes using a different port can improve the security measurably and is certainly a viable option to add to the toolbox. Most of the problems I see on ssh are script kiddies attacks. Another tool I use religiously on remote servers I manage is sshdfilter. It does realtime monitoring of all ssh attempts and manages iptable rules to block hacking attempts. http://www.csc.liv.ac.uk/~greg/sshdfilter/ > Regards, > > John >
