Re: question about ssh

[Steven Stern <subscribed-lists sterndata com>]

On Fri, 31 Dec 2004 10:16:59 +0000, Tony Dietrich <td transoft demon co uk>
wrote:


>
>I agree with Ed Wilts that the best way is to block all sshd connections, then 
>open stealth ports for specific fixed IPs.  
>
>Just opening an unusual port for sshd won't do the trick ... a port scanner 
>will find the hole in seconds, and if your systems have already been 
>attacked, then he'll come back for another look at some time - or one of his 
>friends will.
>

I use port 2222 on my system because I need to be able to access from my
notebook, and it's location and IP change with every connection.  It's not
perfect security; that's why I also use AllowGroups to specify which userids
can access via ssh and explicitly disallow root access.

By the way, I like Guarddog as a visual iptables manager.
-- 
  Steve