question about ssh
Steven Stern
subscribed-lists at sterndata.com
Fri Dec 31 14:45:49 UTC 2004
On Fri, 31 Dec 2004 10:16:59 +0000, Tony Dietrich <td at transoft.demon.co.uk>
wrote:
>
>I agree with Ed Wilts that the best way is to block all sshd connections, then
>open stealth ports for specific fixed IPs.
>
>Just opening an unusual port for sshd won't do the trick ... a port scanner
>will find the hole in seconds, and if your systems have already been
>attacked, then he'll come back for another look at some time - or one of his
>friends will.
>
I use port 2222 on my system because I need to be able to access from my
notebook, and it's location and IP change with every connection. It's not
perfect security; that's why I also use AllowGroups to specify which userids
can access via ssh and explicitly disallow root access.
By the way, I like Guarddog as a visual iptables manager.
--
Steve
More information about the fedora-list
mailing list