On Thu, 5 May 2011, Rob Owens wrote:
I hesitate to mention this, because it will start an argument about
security through obscurity, but you can run your ssh server on a port
other than 22. It really does nothing for security, but it will keep
your firewall logs a lot cleaner because it avoids pesky scripts that
circulate the internet, trying to brute force ssh servers.
Hi Rob. I'm glad you mentioned that it doesn't do anything for security.
Yes it would keep logs a bit cleaner. I've never[1] changed the ssh port
on any host and never been terribly worried about the state of the logs as
a result.
Changing the port is only really viable for home servers. It can't
reliably be done on any service used by a lot of people anymore than you
can do this for any other service. You could of course do this if you are
using SRV records (if the client supports it) but then you throw away the
obscurity aspect anyway.
The idea of changing the port number for SSH seems to stem from the idea
that SSH is somehow more dangerous to run than another service and so
needs special treatment. I think this idea comes from the fact that a
successful SSH login will give you a shell and that sounds a bit scary.
The thing to remember is that exploits of other network services normally
involve the execution of arbitrary code. And what is the arbitrary code
that they run? It is often a shell.
Most Linux systems will be using OpenSSH which comes from the OpenBSD
project. It is likely the best audited code on many Linux systems and is
thus likely to be less of a threat to system security than running many
other services.
Treat all network services as a potential threat whether they are designed
to give you a shell or not. Keep the system patched, restrict access to
the service to legitimate users if you can, and follow best practice for
locking down each service.
[1] I've been using SSH since 1996 or 1997.
Cheers,
Rob
--
Email: rob...@timetraveller.org Linux counter ID #16440
IRC: Solver (OFTC & Freenode)
Web: http://www.practicalsysadmin.com
Contributing member of Software in the Public Interest (http://spi-inc.org/)
Open Source: The revolution that silently changed the world
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/alpine.deb.2.00.1105070154560.7...@castor.opentrend.net