tightening ssh

[Claude Jones]

On Sat November 19 2005 8:07 am, Alejandro Flores wrote:
> Hey,
>
> > I've been reading up, and talking up, various security strategies. One
> > thing that is striking to me in looking at logs for my servers are the
> > endless ssh probes that go on. It appears to be one of the most common.
> > Up till recently, I had dealt with this by using firewall rules to allow
> > ssh access only to selected ip addresses - to all others, the port
> > appears closed (I checked this with port scans). Now, I must change
> > strategies. I need to give access to an associate who gets his dsl ip
> > address via dhcp, so it's always changing. I'm not quite ready to try
> > port knocking, so, the other suggestion I read over and over is to
> > provide ssh on a non-standard port. So, I throw this out to the
> > collective experience - what's your take on that strategy? Won't simple
> > scans reveal the existence of ssh access on a non-standard port? Is this
> > really much protection? Is it merely a question of reducing odds?
>
> Here I use a combination of strategies:
> - Run SSHD on a non-standard port
> - Do not allow Root Logins
> PermitRootLogins no
> - Use AllowUsers to restrict which user can login
> AllowUser user1 user2 user3 at host.something.com
> - Use strong passwords
> - Use a program to ask something to the user who logs in.
>
> Yes, a simple scan will reveal that you're running ssh on a
> non-standard port, but you'll not be knocked by the automated bot
> scans who use the default ssh port. These bot scans are responsible
> for about to 99% of those attempts you're seeing.
> After those changes I see no attempts on my logs anymore.
>
You and Leonard are confirming some things I've concluded, but, it reminds me 
of a second question I haven't really found an answer to. What port? Is it 
best to choose a high port, or pick one in the below 1024 range? 

-- 
Claude Jones
Bluemont, VA, USA