Vijay Gill wrote: > I am working on the idea of writing a small script which will modify > the port of sshd every day according to some logic I will use on the > client side to find the port for that day. This script will run in > background and will do the job of modifying the config file and > restarting of the service automatically. There comes a point where these tricks buy you very little extra security and a lot of hassle. I think you're reaching that point. If anyone just wants a botnet of compromised clients, then they don't actually want every possible computer that's out there. It's counter-productive to compromise a computer that's being administered by a security paranoid. (I'd better note that "paranoid" is a complement where computer security's involved). Paranoid sysadmins are too likely to suspect something, or uncover them. Then questions get asked, people may be called in, computer forensics may be applied, the police might be called, and if the evidence is good enough, warrants may be issued. Far better to aim just at those people who are most unlikely to notice that something's wrong. The chance of getting caught is much lower. With SSH exploits, that probably means you *don't* want people running SSH on non-standard ports. This all assumes, of course, that crackers are logical. If, on the other hand, someone wants *your* computer in particular, then they will just port-scan every port you have until they find a vulnerable one. And that probably won't be a SSH port. Real remote exploits with OpenSSH are very rare, and haven't been published since UsePrivilegeSeparation was added three years ago. If you have that turned on, and apply updates regularly, opening SSH to the network is not a major security risk. See http://openssh.org/security.html for details. James. -- E-mail address: james | Watch your grammar, teams: the double negative is a @westexe.demon.co.uk | complete no-no. | -- "I'm Sorry, I Haven't A Clue", BBC Radio 4
