[kwlug-disc] Tightening up SSH

unsolicited unsolicited at swiz.ca
Mon Jul 19 22:41:35 EDT 2010

Darcy Casselman wrote, On 07/19/2010 9:12 AM:
> Along with previous suggestions, I'd recommend switching to a
> non-standard port.  It's not really security against a determined
> attacker, but it cuts out 99.99% of the random Internet drive-bys.

Could you tell me the source of this statistic please?

Obscurity is not a viable form of security.

Changing the port number probably impacts, and irritates, you more 
than anyone else. Particularly with a properly secured port - as the 
poster is in the process of ensuring.

Save yourself the irritation. Particularly when you run into a
firewall that lets you talk out to known ports, but not weird ones.

Having said that, I can appreciate Khalid's (& others) points that 
such avoids all the traffic in the first place, and reduces the log 
noise level. YMMV.

If, as John reflects upon, you have users who can only handle userids 
and passwords, I believe you can chroot ssh, or them, off, or give 
them a restricted shell. If you're at this point, it is arguable that 
you have also dedicated a machine to such remote access, with very 
well defined (and isolated) functionality points.

Just as sshd can listen on multiple ports, it can use different 
schemes. e.g. ssh port only allows passwords, while 443 (so you can 
get through starbucks-type firewalls), only allow keys.

More information about the kwlug-disc mailing list