[NTLUG:Discuss] OpenSSH - Newbie Question #2
Bobby Sanders
ssanders at ssvzc.com
Wed Jul 5 23:32:31 CDT 2006
Good points, Chris. Many, many thanks.
On Wed, 2006-07-05 at 16:42 -0500, Chris Cox wrote:
> Wayne Walker wrote:
> > I believe the jury is still out on this.
> >
> > How: edit /etc/ssh/sshd_config, uncomment the line like:
> > #Port 22
> > and change the port number
> > Now restart sshd ("service sshd restart" or "/etc/init.d/sshd restart"
> > on most distros).
> >
> > Pros:
> >
> > Fewer actual attacks (assuming random programmatic attacks) because most
> > simple attack tools will look for ssh on port 22.
> >
> > Um...that's it.
> >
> > Cons:
> >
> > Will not deter a determined attacker at all. Someone determined to
> > attack Your machine will port scan it.
>
> Actually it will deter them. They will initiate a port scan, your
> firewall will make that difficult... so they'll target well known
> ports... your ssh won't be running on port 22... hacker gives
> up because of the plethora of lower hanging fruit.
>
> >
> > May lock yourself out (built in firewall rules will allow port 22
> > traffic usually, you now have to go specifically allow traffic on the
> > port your ssh is listening on).
>
> Firewalls default to blocking everything. Chances are you had
> to open up 22 (SSH).. it's really not that hard.
>
> >
> > Any time you try to connect to the machine (with sftp, ssh, scp, puTTY,
> > winSCP, ...) you have to perform whatever step is necessary to get that
> > tool to connect to sshd on a non-standard port.
>
> Huh? It's really not a problem. On the client side you simply
> have to supply a port number parameter (now the fact that each client
> uses a different switch option is disturbing :) ).
>
> >
> > Better practice (IMO). Spend that extra effort making sure that you
> > have a good system of keeping:
> >
> > 1. your software packages (especially ssh) up to date
> > 2. turn off unnecessary/unused services - e.g., nfs, telnet, pop, imap
> > (use imaps, and pop3s) etc.
> > 3. choose hard to guess passwords and change them occasionally.
>
> I'm going to have to disagree with this one. If you're running anything
> on port 22 the multitude of "bot" software that is out there will
> pound you to death.. regardless if the user initiating the attack/probe
> understands what the software is/isn't doing.
>
> Move your ssh port... I promise you that you will get rid of 99%+ of
> all ssh hack attempts.
>
> >
> > Wayne
> >
> > On Wed, Jul 05, 2006 at 02:25:26PM -0500, Bobby Sanders wrote:
> >> While reviewing the prior messages on this list and others dealing with
> >> SSH, I have notice that everyone suggests that you change the port # for
> >> this services.
> >>
> >> Is this as simple as editing /etc/services or do I have to be concerned
> >> about changing in in a dozen other places, applications, etc.?
> >>
> >> Thanks
> >>
> >> Bobby
> >>
> >> _______________________________________________
> >> http://ntlug.pmichaud.com/mailman/listinfo/discuss
> >
>
>
> _______________________________________________
> http://ntlug.pmichaud.com/mailman/listinfo/discuss
>
>
More information about the Discuss
mailing list