tightening ssh
Alejandro Flores
alejandrorflores at gmail.com
Sat Nov 19 13:07:23 UTC 2005
Hey,
> I've been reading up, and talking up, various security strategies. One thing
> that is striking to me in looking at logs for my servers are the endless ssh
> probes that go on. It appears to be one of the most common. Up till recently,
> I had dealt with this by using firewall rules to allow ssh access only to
> selected ip addresses - to all others, the port appears closed (I checked
> this with port scans). Now, I must change strategies. I need to give access
> to an associate who gets his dsl ip address via dhcp, so it's always
> changing. I'm not quite ready to try port knocking, so, the other suggestion
> I read over and over is to provide ssh on a non-standard port. So, I throw
> this out to the collective experience - what's your take on that strategy?
> Won't simple scans reveal the existence of ssh access on a non-standard port?
> Is this really much protection? Is it merely a question of reducing odds?
Here I use a combination of strategies:
- Run SSHD on a non-standard port
- Do not allow Root Logins
PermitRootLogins no
- Use AllowUsers to restrict which user can login
AllowUser user1 user2 user3 at host.something.com
- Use strong passwords
- Use a program to ask something to the user who logs in.
Yes, a simple scan will reveal that you're running ssh on a
non-standard port, but you'll not be knocked by the automated bot
scans who use the default ssh port. These bot scans are responsible
for about to 99% of those attempts you're seeing.
After those changes I see no attempts on my logs anymore.
--
Regards,
Alejandro Flores
http://www.triforsec.com.br/
More information about the fedora-list
mailing list