On Fri, Mar 12, 2010 at 10:16 AM, Derek Smithies <[email protected]> wrote: > In addition to the deny hosts approach, I would move the ssh port to > somewhere else. > ... > yes yes, this is security by obscurity, (which is a poor form security), but
You are right that it cuts down attacks, because the great majority of bot attacks don't bother doing anything except port 22. I have only one server not running on port 22, and it basically gets zero scans (in the period Aug 23 2009 to today). However, if you don't remember that you have done this, it reduces your own ability to connect to your own machine. It is not "discoverable" and may lead you to waste lots of your own time trying to debug a non-existent problem. A well-configured ssh service isn't going to let an attacker in. Well-configured can mean a lot of things, but includes at least "no passwords, only keys", "only named users", "never root" and "security updated quickly from a reputable source". Adding "blacklist on unsuccessful attempts" helps to prevent your machine wasting resources. I don't agree that "well-configured" means "on a different port", except possibly in some formally documented environments. And given that most of those are internal networks where the very existence of attack traffic is a great problem -- in other words, if someone is even trying to attack port 22, you'd rather know about it than just ignore it -- I tend to think it's more of a distraction than a benefit. There is a place for "on a different port"; if you don't want to pay any attention to the security of your servers (i.e. you don't watch log exceptions) and you only have (a small number, e.g. one) machine you are responsible for, then it's a reasonably effective way to be slightly more comfortable when ignoring the operations of your machine. -jim (who admits to having one machine running ssh on a non-standard port. But only one machine ...)
