[kwlug-disc] Tightening up SSH
Andrew Kohlsmith (mailing lists account)
aklists at mixdown.ca
Tue Jul 20 10:10:47 EDT 2010
On Monday, July 19, 2010 10:41:35 pm unsolicited wrote:
> Darcy Casselman wrote, On 07/19/2010 9:12 AM:
> > Along with previous suggestions, I'd recommend switching to a
> > non-standard port. It's not really security against a determined
> > attacker, but it cuts out 99.99% of the random Internet drive-bys.
> Could you tell me the source of this statistic please?
Darcy claims he made it up, but I can back it up with my own experience too.
And yes, I do know that the plural of "anecdote" is not "evidence". :-)
Let's step back for a moment though and look at what's going on.
There are a bunch of internet worms out there doing "internet drive by"
attacks looking for open ssh ports, and if something is found, launching a
dictionary attack against them with common usernames.
This isn't an "attack" any more than a bird flying overhead managing to poop on
your head is an attack. There's no intelligence behind this.
(Ok, maybe it's slightly more of an attack than the example I gave, since the
bird isn't flying overhead looking for bald spots (I hope!), but you get my
Again, you are not being targeted. Moving to a non-standard port eliminates
your logs filling up with this crap. I don't think anyone is saying that this
is a means to increase security, although I would argue that obscurity is a
valid additional layer to a properly executed security regimen.
> Changing the port number probably impacts, and irritates, you more
> than anyone else. Particularly with a properly secured port - as the
> poster is in the process of ensuring.
I agree; this is why I don't move my ssh off of the standard port. I put up
with the crapflooding, particularly because a) I know nobody's getting in
through ssh and b) I never check my logs for ssh attacks anyway.
I did play around with "knocking" for a while but it irritated me as well
because I would continually forget the knock code. One of my friends lives for
tcpwrappers, but this infuriates me because the only time I usually need to
get in to his systems are when I'm somewhere away from home, and having to
bounce in through my dedicated box is an extra step I really dislike.
I know that if someone's going to compromise my system they'll get in through
something OTHER than ssh; I'm not going to post guards at my door when I know
I've got much easier to infiltrate windows around back.
More information about the kwlug-disc