On Wed, September 23, 2015 00:11, Always Learning wrote:> > > That is great. When I started on Linux that was one of the very > first things I did. Every machine, including servers, has port 22 > replaced by a unique alternative port. Port 22 is also blocked in > IPtables. > > There is an army of dangerous nutters attempting to break-in to > everything. They often mask their attacks using compromised Windoze > computers all around the world. >Changing the port that sshd listens on solves nothing from a security perspective. The only people that this action deflects are the script-kiddies. Who are admittedly numerous and who can be dangerous but usually are just low-talent opportunists. Moving the port by itself still opens a functioning connection to the internet on a service that is inherently susceptible to brute force and rainbow attacks. The 'dangerous' people on the Internet will find this port in a heartbeat and they are far more worrisome than the script-kiddies. Since you absolutely must build a defence against these opponents anyway then you might as well leave the service on the default port to avoid screwing up legitimate users expectations. I grant that dealing with an excessive logfile volume can be a consideration. However, this issue is often best dealt with through scripting your own analysis and reporting programs or employing someone else's. And is often solved with an aggressive set of firewall rules. In fact, the volume of entries should be a good indication of how well your defence is serving you. As you tighten the access rules and dynamically block persistent abusers then the volumes should drop and stay fairly low. Moving the port by itself is like rearranging the deck chairs on a sinking ship. It does not address the fundamental issue. Plus assignment to a non-standard port adds to maintenance and support load since it must be separately accounted for each time it is referenced. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On Wed, 23 Sep 2015, James B. Byrne wrote:> Moving the port by itself still opens a functioning connection to > the internet on a service that is inherently susceptible to brute > force and rainbow attacks. The 'dangerous' people on the Internet > will find this port in a heartbeat and they are far more worrisome > than the script-kiddies. Since you absolutely must build a defence > against these opponents anyway then you might as well leave the > service on the default port to avoid screwing up legitimate users > expectations.Without disagreeing with the underlying assessment that SSH should be configured securely regardless of the port to which it's bound, my empirical findings are that few find the alternate port, and they certainly don't do it "in a heartbeat." In fact, rooting out casual ssh port scans gives you a much better sense of who the 'dangerous' people really are. When you see failed logins in /var/log/secure, you're less likely to write them off as the price of being on the Internet and more likely to see them as a real threat. Legitmate users aren't really an issue. If you give them access, then it's easy to tell them they need a stanza in ~/.ssh/config: Host *.mydomain Port NNNN [... etc ...] Again, this isn't a workaround for a sloppy ssh configuration, but I do think it has some value. -- Paul Heinlein heinlein at madboa.com 45?38' N, 122?6' W