On 05/06/07, Voytek Eymont <[EMAIL PROTECTED]> wrote:
my logs are littered with the usual failed login crap;
is moving ssh to a different port 'good idea' ?
It probably makes these types of automated scans, which are relying on
you having common usernames with obvious passwords, less likely to do
bad things to your machine.
On the other hand, they're already 100% unlikely to access your
machine, assuming you don't have common usernames with obvious
passwords. You can't get better than that.
It also makes it less convenient for you - you have to remember what
the port is, and hope that firewalls don't block you, etc. It's not
much of an inconvenience, but at least in terms of automated scans
like this, it doesn't get you much benefit either.
Iffing there was a remote exploit in openssh, there'd be a different
kind of automated scan; in that scenario, having ssh on a non-standard
port might buy you a bit of time before your vulnerable sshd gets
cracked. More of a gain here - but it's not a common scenario (I'm
pretty sure it's happened at least once, maybe twice, to openssh
though).
If you have a more determined attacker - someone who is specifically
focussed on your machine, as opposed to someone scanning the internet
for quick easy targets - they're going to find it no matter what port
you put it on, so moving it gains you, at best, 60 seconds or so while
they run nmap, and maybe a few more minutes while the look at the
version string openssh sends when you connect to it to figure out that
this odd port is in fact SSH - but does cause you a bit of
inconvenience.
Good is subjective, you need to decide what level of inconvenience
you're willing to tolerate vs how many extra small barriers you want
to put in front of an attacker.
Personally, I run ssh on port 22.
preferabley some port that will still allow me access from various places.
what port ? port range ?
I currently have in /etc/ssh/sshd.conf like:
Protocol 2
AllowUsers myname
PermitEmptyPasswords no
LoginGraceTime 30s
MaxAuthTries 2
You've already got this quite locked down. You could take it a step
further by not allowing passwords at all, and relying on the SSH key
you carry on your USB stick to authenticate you. Of course, that again
makes things inconvenient for you - if you left the USB stick at home,
you can't log in. If it gets stolen, not only can you not log in, but
you can't even revoke your key until you get home and get your backup
key on the spare usb stick - meanwhile, whoever stole the key has
(potentially) free access to your machine..
Again, there are no right answers, it's about what level of
inconvenience you're willing to put up with in return for increased
barriers to entry.
------
input_userauth_request: invalid user virus
reverse mapping checking getaddrinfo for ws252
Failed password for invalid user virus from ::
Received disconnect from ::ffff:205.149.2.252:
Invalid user cyrus from ::ffff:205.149.2.252
input_userauth_request: invalid user cyrus
reverse mapping checking getaddrinfo for ws252
Failed password for invalid user cyrus from ::
Received disconnect from ::ffff:205.149.2.252:
Invalid user oracle from ::ffff:205.149.2.252
input_userauth_request: invalid user oracle
--
Voytek
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
--
There is nothing more worthy of contempt than a man who quotes himself
- Zhasper, 2004
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
