[kwlug-disc] Tightening up SSH
kb at 2bits.com
Mon Jul 19 10:30:40 EDT 2010
On Mon, Jul 19, 2010 at 10:22 AM, John Van Ostrand <john at netdirect.ca>wrote:
> ----- Original Message -----
> > The single most effective thing you can do to prevent these types of
> > attacks is run ssh on a non standard port.
> > This will stop these automated scans right away.
> But since everyone is changing it to 2022, 2222, 222, 1022 or something
> like that it's only a simple level of obfuscation that could easily be
> Do it right: refuse root SSH login, restrict login to a small subset of
> user ids. If you need to support passwords for dumb users, make sure they
> are complex passwords and restrict their use to just those logins. But try
> to go to key-based authentication. It's actually easier for admins. Use
> complex root passwords in case it accidentally gets re-configed and use sudo
> to avoid needing to know the complex password. And to avoid lots of log
> messages you can change the port.
> Trust me, once you go to keys for admin you won't go back it's way easier
> since you wont have to type in a password every time. If you travel a lot
> put the keys on a USB key, strongly password encrypted of course.
All good advice, and should be followed regardless. ssh keys are far more
convenient and secure than passwords.
My post was not about "making your server more secure", it was more on
"stopping the scans" AFTER you have configured them for ssh key usage.
If you do what you recommend (which I do), you will still see scans
happening if you still run ssh on port 22. Changing it to another port (and
pick your own, don't use the one I posted, or one that John did, invent your
This will stop the scanning. ssh keys will not on their own. They make you
more secure, but you will still be probed.
Khalid M. Baheyeldin
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the kwlug-disc_kwlug.org