[kwlug-disc] Tightening up SSH
unsolicited at swiz.ca
Mon Jul 19 22:41:35 EDT 2010
Darcy Casselman wrote, On 07/19/2010 9:12 AM:
> Along with previous suggestions, I'd recommend switching to a
> non-standard port. It's not really security against a determined
> attacker, but it cuts out 99.99% of the random Internet drive-bys.
Could you tell me the source of this statistic please?
Obscurity is not a viable form of security.
Changing the port number probably impacts, and irritates, you more
than anyone else. Particularly with a properly secured port - as the
poster is in the process of ensuring.
Save yourself the irritation. Particularly when you run into a
firewall that lets you talk out to known ports, but not weird ones.
Having said that, I can appreciate Khalid's (& others) points that
such avoids all the traffic in the first place, and reduces the log
noise level. YMMV.
If, as John reflects upon, you have users who can only handle userids
and passwords, I believe you can chroot ssh, or them, off, or give
them a restricted shell. If you're at this point, it is arguable that
you have also dedicated a machine to such remote access, with very
well defined (and isolated) functionality points.
Just as sshd can listen on multiple ports, it can use different
schemes. e.g. ssh port only allows passwords, while 443 (so you can
get through starbucks-type firewalls), only allow keys.
More information about the kwlug-disc