On Wed, 2007-10-03 at 15:46 -0600, Karl Larsen wrote: > Alan M. Evans wrote: > > On Wed, 2007-10-03 at 15:40 -0500, Steve Siegfried wrote: > > > > > >> Changing ports for ssh isn't actually that hot of an idea. Most port scanners > >> can detect ssh implementations since they normally self-identify. For example, > >> if you're running ssh on the normal port (22), try executing: > >> /usr/bin/telnet YOUR.HOST.IP.ADDR 22 > >> and see what pops out. > >> > > > > Of course. But most attacks aren't scanning every port on your machine > > and trying to identify unknown services. Mostly they're just going for > > the low-hanging fruit on the standard port numbers. > > > > > > > This whole line of reasoning is false. Calm down, Karl. There's nothing at all false about my line of reasoning, unless you claim that most attacks attempt all or most ports an the target system searching for a login prompt. In fact, they don't. If I were to move my SSH port to something non-standard, say 37017, for example, I would see virtually *none* of the login attacks that my system logs four or five times a day against port 22. > I don't care if Hacker, the > bad guy, gets on my computer with ssh. He then needs to come up with a > valid login name and password. If he fails at this in some set time it > all quits. That's great, as long as SSH works as advertised, and nobody is lucky or has inside information about your passwords. If the attack is exploiting an unknown or unpatched flaw in SSH then you're out of luck. We're talking here about layers of security. If an attack is directed at one layer, the others are there to compensate. > Until you can convince me that my system is at risk from ssh when > using a real password I am going to sleep well. I don't think anyone's trying to convince you of anything. Given your history on this list, I doubt it possible anyway. Keep your SSH and your "real password" and sleep like a baby. As for me, I won't trust SSH alone. I employ other methods, including rsa keys, special iptables rules, and SELinux, to enhance the security of my system. (For the record, I run SSH on the standard port, despite the fact that I claim it would enhance security further.) Everyone has to decide for themselves what layers are too burdensome. It would be a false line of reasoning to assume that your comfort lever is sufficient for everyone else, and anything that you don't do is, therefore, a waste of time.
