tightening ssh

Derek Martin code at pizzashack.org
Sat Nov 19 18:35:21 UTC 2005 

On Sat, Nov 19, 2005 at 07:47:11AM -0500, Claude Jones wrote:
> I'm not quite ready to try port knocking, so, the other suggestion I
> read over and over is to provide ssh on a non-standard port. So, I
> throw this out to the collective experience - what's your take on
> that strategy?  

First, I must admit that I use this technique myself.  But to be
honest, other than preventing log bloat, I think there's very little
benefit to doing it.

> Won't simple scans reveal the existence of ssh access on a
> non-standard port?  

Yes, and no.  It depends what you mean.  A "simple" port scan will
reveal that *something* is listening on the new port, but will not
necessarily reveal that it is an ssh daemon.  A more sophisticated
scan, which tries to make connections for well known protocols, will
certainly identify this.

> Is this really much protection? 

I don't really think so, provided you take other precautions to
safeguard your system, namely:

 - first and foremost, keep your ssh software up-to-date with the
   latest available for your distribution.  If you're running an older
   distribution that is no longer supported (or find yourself in this
   situation in the future), I would strongly urge you to upgrade.
 
 - DO NOT allow passwords of any kind.  Use cryptographic keys with
   the SSH2 protocol.

 - THOROUGHLY read the man pages for sshd, sshd_config, and ssh.
   Understand the software well.  Make use of the many other access
   controls as you see fit.

> Is it merely a question of reducing odds? 

Yes.  But with regard to computer security, that's all you ever can
do, really.  However, some precautions are a lot more valuable than
others.  As others have said, changing the port will protect you from
script kiddies, but then so will keeping your software updated.  

The only real downside of changing the port is that the user has to
remember to specify the port all the time, and the command line
options for each of the ssh clients (ssh, sftp, scp) all have
different options for doing this.  If you don't consider that a big
deal, then go ahead and do it.  But honestly, I think the only real
benefit this provides over keeping your system updated is less garbage
in your logs... which may be reason enough to do it.

-- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20051119/1e52cc71/attachment-0001.sig>

More information about the fedora-list mailing list