Stephane Bakhos wrote: >>> Its exciting to see so many people interested in using Linux more and >>> more. I am often asked about setting up a "small server" for web, >>> >> Nice write up Jimmy, one other thing I do is to set the SSH listening >> port to be something non-standard. It is really just obscuring the fact >> SSH is there, but it stops all those logged intrusion attempts, and if >> you put the port up high, the server looks completely closed to incoming >> traffic on many port scans. >> > > Why not use a VPN like openvpn / gvpe / pptp ? > You can just have sshd listen only to connections on the vpn. > > And if you really need to have sshd on a public ip from time to time, you > can use port knocking. What would a VPN give me that SSH does not? I mean I can even do SOCKS proxying over SSH. It would hide SSH, but it would expose a port for VPN.
I find obscuring the SSH port is pretty much the same as port knocking (but less bother, plus I can access it from devices able to SSH but not to port knock), very few will bother finding it, and if they do, they can't brute force it for passwords anyways. Anyways, maybe someone could explain the merits of double encrypting as Stephane suggests. I suppose it could have helped with the debian ssh keygen debacle (but weren't VPN keys gen'd using same algo?). Jeremy PS: You can alias your ssh command to include the -p19092 (for example), same for SCP. _______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
