Steve ([EMAIL PROTECTED]) scribbled: > Jason Cooper wrote: > > >Bad move. Exposing a single port to the internet is more than enough. I > > > >also only expose a few ports (including ssh) to the net. My logs are > >full of knucklehead script kiddies trying to get in through ssh. At a > >minimum, disallow root login, and listen on a port other than 22. (At > >least on the net-facing side). Also, set AllowUsers to just yourself. > > > >btw - all those log entries were when I was listening on port 22... > > > > > I understand your concerns - I had _exactly_ those concerns too - and > yes - I can see script kiddy evidence in my logs too. > > I've disabled remote root login - and in fact only one user can > authenticate via SSH - and that user can't do so using only a password.
Yep, I do the same. > I can't easily move to a non-standard port though (as I want to access > it from sites which only allow outbound connections to port 22 (don't Are you planning on providing https connections? If not, most places allow outbound port 80 and port 443 requests. It wouldn't be hidden from automated scans, but at least it would be the wrong scans. :) > ask me why!)) and in any case - I know I get port-scanned and security > through an obscure port number is likely to be as effective as a > chocolate tea-pot. I suppose I could constrain the IP addresses of "security through obscurity" is only bad when it is the _only_ security. However, the few hours it might buy you (on discovery of a new vulnerability) against automated scans so you can shutdown/upgrade could be a life-saver. As long as it's understood that's all it's good for... > hosts which can connect... but I'm not entirely sure that the trade-off > between usefulness to me and improved security makes that worthwhile... > > I realise I run the risk of being compromised if another exploit is > found in SSH - but my fingers are firmly crossed there... I'm trusting > for now that I can keep my keys safe and that there isn't a SSH > back-door... Time will tell I suppose. A neat thing to remember is that in the event of a new vulnerability being discovered, shutting down sshd _doesn't_ kill your current session. I've used that the last time the hole was discovered in openssh. > I understand that I need a stringent firewall in order to make sure my > wireless connection can only effect connection to the SSH service. firewall good. script kiddie bad. :) Cooper. -- gentoo-user@gentoo.org mailing list
