On Tue, 2016-05-17 at 14:34 -0600, Dustin Kempter wrote:> Connecting to 104.197.158.61 [104.197.158.61] port 22.(1) I would change the port from 22 to something more difficult to guess, perhaps 49026 (for example) and then block port 22 in the firewall. (2) Allow to port 49026 (for example) traffic from your IP and block traffic from all other IPs. Do not forget there are people out there desperate to get into your computer system, so make it more difficult for them. -- Regards, Paul. England, EU. England's place is in the European Union.
On May 17, 2016, at 7:56 PM, Always Learning <centos at u68.u22.net> wrote:> (1) I would change the port from 22 to something more difficult to > guess, perhaps 49026 (for example) and then block port 22 in the > firewall.If you?re going to change the port, change it to something <1024. You don?t want to have sshd running on a port that a non-root user can bind to. -- Jonathan Billings <billings at negate.org>
On Tue, 2016-05-17 at 20:12 -0400, Jonathan Billings wrote:> On May 17, 2016, at 7:56 PM, Always Learning <centos at u68.u22.net> wrote: > > (1) I would change the port from 22 to something more difficult to > > guess, perhaps 49026 (for example) and then block port 22 in the > > firewall. > > If you?re going to change the port, change it to something <1024. You don?t want to have sshd running on a port that a non-root user can bind to.But if, as I suggested, the enquirer restricts access to that port to his own IP, access attempts from other IPs will fail. Ports > 1024 can be accessed by authorised non-root users using the authorised originating IP whilst preventing access from all other IPs. -- Regards, Paul. England, EU. England's place is in the European Union.
On 2016-05-17, Always Learning <centos at u68.u22.net> wrote:> > (1) I would change the port from 22 to something more difficult to > guess, perhaps 49026 (for example) and then block port 22 in the > firewall. > > (2) Allow to port 49026 (for example) traffic from your IP and block > traffic from all other IPs. > > Do not forget there are people out there desperate to get into your > computer system, so make it more difficult for them.If you've blocked access to the sshd port for all but whitelisted IPs, there's little point in moving sshd to a nonstandard port. If you want defense in depth, use the cloud firewall, the host firewall, and something like sshguard, and just leave sshd on port 22. --keith -- kkeller at wombat.san-francisco.ca.us