[kwlug-disc] Tightening up SSH

Lori Paniak ldpaniak at fourpisolutions.com
Mon Jul 19 10:44:11 EDT 2010


On Mon, 2010-07-19 at 10:29 -0400, Adam Glauser wrote:
> On Mon, Jul 19, 2010 at 10:09 AM, Khalid Baheyeldin<kb at 2bits.com>  wrote:
> >> The single most effective thing you can do to prevent these types of attacks
> >> is run ssh on a non standard port.
> 
> On 19/07/2010 10:23 AM, Dave Cramer wrote:
> > I disagree. Any security mechanism that relies on obscurity is not
> > secure. Just harden it.  It's trivial to port scan you anyway.
> 
> I used to think that way too Dave.  As far as I'm concerned though, it 
> doesn't hurt add obscurity to an _otherwise_good_ security system.  As 
> Khalid says, it makes it less likely that the random scans from the 
> wilds of the 'Net will notice your server.
> 
> It's like surviving a bear attack:  You don't have to out-run the bear, 
> you just have to out-run the other guy.
> 

I tend to agree with Dave.  If you have a small, definite number of
remote clients who need external access to your system (your laptop,
phone ...), run something like OpenVPN.  Then you can close all open
(tcp) ports and disappear from scans.  Having open ports advertises that
your system is there and a target for unknown, upcoming vulnerabilities
whether they are on port 22 or elsewhere.


OpenVPN also brings additional features to the table that ssh doesn't
without a lot of futzing around eg. extend your LAN to remote clients


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://astoria.ccjclearline.com/pipermail/kwlug-disc_kwlug.org/attachments/20100719/dd6ef891/attachment.bin>


More information about the kwlug-disc_kwlug.org mailing list