On Apr 10, 2017, at 2:17 PM, Jim Garrison <[email protected]> wrote: > > On 4/10/2017 8:22 AM, Paul Heinlein wrote: >> I've got a CentOS 7 VM running off in the cloud. It exposes SSH on >> port 22 to the world. I've thought about moving it to an alternate >> port, and may someday do so, but in the meantime I've tried to keep up >> with best practices for sshd configuration. >> >> I recently changed the KexAlgorithms setting, removing all >> key-exchange algorithms based on NIST curves. (Google variants of >> "ed25519 nist ssh ecdh" for my reasoning.) Anyway, the new setting: >> >> KexAlgorithms >> [email protected],diffie-hellman-group-exchange-sha256 >> >> All of my machines (MacOS 10.12, CentOS 6, CentOS 7) can work with >> this setting, so I don't have to worry about infinite backward >> compatibility. >> >> One interesting and unintended result of this change is that many SSH >> scanners will fail while trying to negotiate a key exchange. The log >> entries are short and sweet: >> >> sshd[18200]: fatal: Unable to negotiate a key exchange method [preauth] >> >> The number of scanners that even get through to the stage of 'Invalid >> user' has dropped from a couple hundred per day to less than a dozen. >> >> Everyone's situation is different, of course, and this alteration may >> not work in your environment -- but you may find it worthwhile raising >> the bar on the KexAlgorithm, Ciphers, and MACs in your sshd_config, >> especially if your SSH daemon is exposed to the world at large. >> > > I've been running sshd on a non-standard port above 5000 for about 7 > years, on various hosting services, both real hardware and more recently > virtual machines. I think in 7 years I've seen only **two** attempted > connections and I think those were from someone just doing a portscan, > as the log messages were one-offs and not repeated. > > There has never been any effort from anybody to actually connect. > Any thoughts on the consequences of arbitrary users being able to run their own sshd on port numbers >1024? Would that mean that if somebody got access to your machine, they could replace the listening sshd with their own?
-- Louis Kowolowski [email protected] Cryptomonkeys: http://www.cryptomonkeys.com/ <http://www.cryptomonkeys.com/> _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
