On Jan 16, 2012 3:56 AM, "Alan McKinnon" <alan.mckin...@gmail.com> wrote: > > On Sun, 15 Jan 2012 12:54:51 -0500 > "Walter Dnes" <waltd...@waltdnes.org> wrote: > > > On Thu, Jan 12, 2012 at 06:30:03AM -0500, Tanstaafl wrote > > > > > This is nothing like changing the port for SSH - a port scanner can > > > figure that one out in seconds... > > > > A real BOFH would set up a dummy instance of sshd on the regular > > port, as well as a real sshd instance on another port. The dummy > > instance could be set up to always fail the login attempt, and with > > special iptable rules to not clutter up your logfile. > > > > Actually a real sysadmin[1] would run ssh standardly plus OSSEC with > active rules and dynamically block our Chinese friends > > [1] "real sysadmin" being defined as the quintessentially lazy dude who > is really not into causing himself pain or doing anything that would > increase support tickets in his inbox >
That depends on who are authorized to access the boxen via SSH. In my case, only the IT Division is authorized to access them via SSH, so the "real sysadmin" in me (g) decides it is much easier to shift the port rather than implementing esoteric hardening stuffs ;-) Plus, I get the benefit of ridiculing any IT guy/gal who managed to get him-/herself locked out (thanks to the auto-blacklist) B-) Rgds,
