[kwlug-disc] Tightening up SSH

Brad Bierman bbierman42 at gmail.com
Mon Jul 19 23:35:25 EDT 2010

I will weigh in here as well (even if I am really late).

I agree that changing the port from 22 is just a security through obscurity,
but it also tells you the level of commitment/sophistication of the attacker
and doesn't fill up your logs. I have found that having lots of false
positives (trying a user name that will not work or dictionary attacks) can
hide the attacks that you are worried about.  In three years on my own
systems I have not seen attacks against my ssh ports, but before I was
getting about 1MB of logs a day in just brute force attacks that would not

Here is a good writeup about different ways to deal with the attacks.  I am
adding it to the conversation just for completeness.

Most will not know what port knocking is so here is another explanation.

My last suggestion is to use the country to IP address (
http://www.countryipblocks.net/) to filter out countries that you don't want
access to your systems ssh port.  This can be done in your iptables config.
This will also cut down on the size of your logs.

Hope this helps someone and doesn't cause another bout of emails ;)

On Mon, Jul 19, 2010 at 10:50 PM, Darcy Casselman <dscassel at gmail.com>wrote:

> On Mon, Jul 19, 2010 at 9:41 PM, unsolicited <unsolicited at swiz.ca> wrote:
> > Darcy Casselman wrote, On 07/19/2010 9:12 AM:
> >>
> >> Along with previous suggestions, I'd recommend switching to a
> >> non-standard port.  It's not really security against a determined
> >> attacker, but it cuts out 99.99% of the random Internet drive-bys.
> >
> > Could you tell me the source of this statistic please?
> Sure! I made it up.
> > Save yourself the irritation. Particularly when you run into a
> > firewall that lets you talk out to known ports, but not weird ones.
> No worries.  I'm not going to forget mine.  And, like Khalid said, you
> can put it in your .ssh/config
> Darcy.
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20100719/165db3cc/attachment.html>

More information about the kwlug-disc mailing list