tightening ssh
Leonard Isham
leonard.isham at gmail.com
Sat Nov 19 13:21:51 UTC 2005
On 11/19/05, Claude Jones <claude_jones at levitjames.com> wrote:
> On Sat November 19 2005 8:07 am, Alejandro Flores wrote:
> > Hey,
> >
> > > I've been reading up, and talking up, various security strategies. One
> > > thing that is striking to me in looking at logs for my servers are the
> > > endless ssh probes that go on. It appears to be one of the most common.
> > > Up till recently, I had dealt with this by using firewall rules to allow
> > > ssh access only to selected ip addresses - to all others, the port
> > > appears closed (I checked this with port scans). Now, I must change
> > > strategies. I need to give access to an associate who gets his dsl ip
> > > address via dhcp, so it's always changing. I'm not quite ready to try
> > > port knocking, so, the other suggestion I read over and over is to
> > > provide ssh on a non-standard port. So, I throw this out to the
> > > collective experience - what's your take on that strategy? Won't simple
> > > scans reveal the existence of ssh access on a non-standard port? Is this
> > > really much protection? Is it merely a question of reducing odds?
> >
> > Here I use a combination of strategies:
> > - Run SSHD on a non-standard port
> > - Do not allow Root Logins
> > PermitRootLogins no
> > - Use AllowUsers to restrict which user can login
> > AllowUser user1 user2 user3 at host.something.com
> > - Use strong passwords
> > - Use a program to ask something to the user who logs in.
> >
> > Yes, a simple scan will reveal that you're running ssh on a
> > non-standard port, but you'll not be knocked by the automated bot
> > scans who use the default ssh port. These bot scans are responsible
> > for about to 99% of those attempts you're seeing.
> > After those changes I see no attempts on my logs anymore.
> >
> You and Leonard are confirming some things I've concluded, but, it reminds me
> of a second question I haven't really found an answer to. What port? Is it
> best to choose a high port, or pick one in the below 1024 range?
>
Most I have seen choose above 1024. I personally avoid any that I
know are defaults for other security systems including the firwall
specific distros.
--
Leonard Isham, CISSP
Ostendo non ostento.
More information about the fedora-list
mailing list