Owen Densmore wrote circa 10-11-22 09:10 PM: > I had heard that port scans were *very* fast to occur so it was with > a LOT of trepidation that I opened port 22, ssh, for use through my > firewall to my home server. > [...] > I disabled ssh password authentication, using public/private keys only. This > seems safe, but who knows .. the config file is a bit hard to understand, I > used: > PasswordAuthentication no > ChallengeResponseAuthentication no > UsePAM no
I also recommend: PermitRootLogin forced-commands-only This will allow you to PKA in as root for explicit things like rsync, but not a login shell. Of course, if you don't want any root PKA access, then set it to "no" if it's not already set that way. > Security experts: is it reasonably safe to open the firewall port 22 > if only key access is allowed? I'm no expert; but yes, it's reasonable. However, accept the fact that you'll waste some bandwidth on the scanners. To limit that, I recommend something like DenyHosts: http://denyhosts.sourceforge.net/ > I know some folks move the port to 24 or some other to obscure the > port usage, but I didn't see that as important .. but am I wrong, and > it *is* a good idea to move the ssh port? I believe the 'bots are > pretty agile. It is a good idea. It's like locking your car. It won't keep out the serious criminals; but it keeps out the random people just looking to rifle through your car to see what they can find. Plus it helps keep your log (and hosts.deny) files smaller. I have ~700 entries in my /etc/hosts.deny file. [sigh] Having said all that, though, I usually don't change the port. -- glen e. p. ropella, 971-222-9095, http://tempusdictum.com ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org
