>>>> Its exciting to see so many people interested in using Linux more and >>>> more. I am often asked about setting up a "small server" for web, >>>> >>> Nice write up Jimmy, one other thing I do is to set the SSH listening >>> port to be something non-standard. It is really just obscuring the fact >>> SSH is there, but it stops all those logged intrusion attempts, and if >>> you put the port up high, the server looks completely closed to incoming >>> traffic on many port scans. >>> >> >> Why not use a VPN like openvpn / gvpe / pptp ? >> You can just have sshd listen only to connections on the vpn. >> >> And if you really need to have sshd on a public ip from time to time, you >> can use port knocking. > What would a VPN give me that SSH does not? I mean I can even do SOCKS > proxying over SSH. It would hide SSH, but it would expose a port for VPN. > > I find obscuring the SSH port is pretty much the same as port knocking > (but less bother, plus I can access it from devices able to SSH but not > to port knock), very few will bother finding it, and if they do, they > can't brute force it for passwords anyways. > > Anyways, maybe someone could explain the merits of double encrypting as > Stephane suggests. I suppose it could have helped with the debian ssh > keygen debacle (but weren't VPN keys gen'd using same algo?). > > Jeremy > > PS: You can alias your ssh command to include the -p19092 (for example), > same for SCP.
It's not about the merits of double encryption. It's about having a very specific sets of computers and device able to access the ssh client, something that fuzzing with the port doesn't accomplish. Any device that can connect to a ssh on a different port can also port knock. Security is a lot about having layers, _______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
