On 15 янв. 2007, at 19:05, Oliver Fromme wrote:
Gerard Seibert wrote:
Reko Turja wrote:
Moving your sshd port somewhere else than 22 - the prepackaged
"cracking" programs don't scan ports, just blindly try out the
default
port - with determined/skilled attacker it's different matter
entirely
though.
Security through Obscurity is not true security at all. You are
simply
assuming that other ports are not being scanned.
I don't think he's assuming that. He is just suggesting an
effective solution to the problem that hundreds of failed
login attempts are filling the OP's logs and cron mails.
He didn't claim that it increases security.
In fact, I would also recommend to move the ssh service
from port 22 to a different, non-standard port if possible.
If you want, you can even have the sshd daemon listen on
_both_ port 22 _and_ your non-standard port 122, and limit
access to port 22 to a few well-known IP addresses, using
a packet filter. That way you diminish the usual "blind"
attempts on port 22, but you can still login using the
non-standard port if you happen to come from an unknown
IP address, so you don't lock yourself out.
Of course, it is important to understand that changing
the port number will not significantly increase security.
However, it might give you a slight advance when yet
another ssh security bug is discovered and exploits start
circulating while you're asleep. Usually the first
exploits are quick and dirty hacks which have port 22
hardcoded, and most script kiddies who blindly scan
random networks don't have enough clue to change it. ;-)
Of course, you still need to patch or update your sshd
as quickly as possible if necessary, and you still need
to use good passwords, or -- even better -- don't use
passwords at all, but use key-based authentication.
Another thing that might be useful are one-time passwords
(OPIE), especially when you're connection from a foreign
client such as a public terminal.
Best regards
Oliver
It is quite correct but too paranoic. You may consider trying to use
security/bruteblock or security/bruteforceblocker. These programs are
very easy to configure and give you notifications on ssh bruteforce
attacks.
--
AIM-UANIC | AIM-RIPE +-----[ FreeBSD ]-----+
Alexander Mogilny | The Power to Serve! |
<> [EMAIL PROTECTED] +---------------------+
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
