[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
John Horne wrote: > On Mon, 2005-10-03 at 16:44 +0100, Thomas Arrow wrote: > >>>Move the port that ssh listens on to another, eg 222 that way only you >>>will know the port and you can still access it from anywhere. >> >>I'm probably wrong but then couldn't somone run nmap on you and the try >>all open ports? >> > > No, you are right. Although moving the port may stop the automated-type > attacks, if someone manually connects to the port (after port scanning) > then they will probably see that it is ssh. May stop these automated attacks, other automated tools already spot services running on unusual ports. SSH isn't like freenet, which is designed to make it deliberately difficult to tell what service you've connected to. I think a different port is not sufficient, because it is an obvious next target after the current ssh saturates the weakly passworded machines on port 22. Especially when it is easy to scan and short list the targets. Geeky as it is, port knocking might offer some protection, but whether it adds significantly compared to picking a better password, or using public keys is rather doubtful. SSH is designed to protect against "man in the middle" style attacks, but port knocking provides little additional protection against that sort of attack. Still port knocking, or another port, would trivially kill all the current dross, getting rid of the log file noise has its own value! > I would much rather restrict who can get in (using TCP wrappers in this > case or IPtables as was also suggested), and limit the damage if they do > (rootkit checkers/tripwire?), than try and hide what I want to do (which > is simply login using ssh on its standard port). Sounds sensible to me, I restrict IP address but also restrict who is allowed to login using ssh "AllowUsers" in the sshd config file, since the attackers are often using common names, and system accounts for applications, just naming who can login will restrict the scope for the success of this attack. And for most GNU/Linux boxes it is only the IT staff who login via SSH, so the list shouldn't be onerous. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html