“Why putting ssh on another port than 22 is a bad idea”:
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
Lars
“Why putting ssh on another port than 22 is a bad idea”:
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
Lars
Some interesting thoughts but i wouldn’t buy his main argument (I’ve read it before). The last comment by 'Dicer; is important. Of course your sshd can be discovered (using nmap or the like) but it takes a little time. Time which is generally more profitably spent hunting down the next port 22 listener.
For the “annoying” -P problem of scp (and other progarms like rsync) which expect ssh on port 22, that’s what ~/.ssh/config is for See http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/ for example.
Having said that its really important to know that shifting the port is one of a number of measures, not a solution in itself - the more important being disabling root access and password authentication.
Port knocking is clever … used to do this on SA gov periphery firewalls. Haven’t really bothered in recent times, but maybe something to consider in these turbulent times.
Meanwhile i continue to shift my ssh port and encourage others to do the same
Cheers
Bob
On 28 September 2014 17:09, Lars Helge Øverland larshelge@gmail.com wrote:
“Why putting ssh on another port than 22 is a bad idea”:
Lars
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
Thanks Lars, for sharing the interesting article.
I also recommend that people use fail2ban. It is a simple tool that looks at logs to fend brute force
Regards,
Saptarshi PURKAYASTHA
On 28 September 2014 16:37, Bob Jolliffe bobjolliffe@gmail.com wrote:
Some interesting thoughts but i wouldn’t buy his main argument (I’ve read it before). The last comment by 'Dicer; is important. Of course your sshd can be discovered (using nmap or the like) but it takes a little time. Time which is generally more profitably spent hunting down the next port 22 listener.
For the “annoying” -P problem of scp (and other progarms like rsync) which expect ssh on port 22, that’s what ~/.ssh/config is for See http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/ for example.
Having said that its really important to know that shifting the port is one of a number of measures, not a solution in itself - the more important being disabling root access and password authentication.
Port knocking is clever … used to do this on SA gov periphery firewalls. Haven’t really bothered in recent times, but maybe something to consider in these turbulent times.
Meanwhile i continue to shift my ssh port and encourage others to do the same
Cheers
Bob
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
On 28 September 2014 17:09, Lars Helge Øverland larshelge@gmail.com wrote:
“Why putting ssh on another port than 22 is a bad idea”:
Lars
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
Yes agree some of the arguments are a bit silly.
I think in any case one should disable ssh password authentication. If
afraid of locking oneself out and not on a VPS with a console one can
selectively enable
<key management - Creating user specific authentication methods in SSH - Information Security Stack Exchange;
password login for users that you trust will use a long and secure
password. This sort of removes the ssh brute-force problem.