Well, my port number isn't going to show up on a default port scan either...... most scanners just test the lower numbers. Like I said, it's security through obscurity, but the biggest benefit is you usually don't end up with any brute force ssh attempts. (IE: you keep out the idiots) Ever since I've changed, I have had zero attempts. If like you said, you layer the protection , you probably don't have nearly as much to worry about. I don't go to the extreme of blocking password logins and just use keys only, but I do most of the other standard stuff. Deny root login, change ports, strong passwords, specify users, specify IP's (when they are static), limit number of login attempts, etc. <br>
<br>Dave Crouse<br><br><br><div class="gmail_quote">On Tue, May 13, 2008 at 12:53 PM, Josh More <<a href="mailto:morej@alliancetechnologies.net">morej@alliancetechnologies.net</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The problem is that, in order for SSH to function at all, it has to be a<br>
listening port. This means that it will show up on port scans unless<br>
you limit it at the network layer (hosts.allow/hosts.deny and the like).<br>
Simply moving the port doesn't do anything to protect the service, as<br>
all the same attacks will still succeed against it wherever it is, and<br>
wherever you put it it can be easily found.<br>
<br>
That's why it's best to layer the defenses. Protect the network layer<br>
with DenyHosts or specifically allowing IPs. Protect the service by<br>
limiting the ways in which it can be used (v2 + keys-only). Protect the<br>
system by limiting the use of service (specifically allowed users).<br>
<br>
It sounds like you're doing some of this in addition to moving the port,<br>
which is good. My concern is the number of people out there that simply<br>
run SSH on port 2222 (or the like) and think they're secure. It's<br>
effective, but only if you count "effective" as avoiding the idiots.<br>
The idiots likely wouldn't have gotten in anyway, so who cares. All<br>
you're doing is reducing traffic (not a bad thing, really) and reducing<br>
your log volume.<br>
<div class="Ih2E3d"><br>
<br>
<br>
-Josh More, RHCE, CISSP, NCLP, GIAC<br>
<a href="mailto:morej@alliancetechnologies.net">morej@alliancetechnologies.net</a><br>
515-245-7701<br>
<br>
</div>>>> "Dave Crouse" <<a href="mailto:crouse@usalug.net">crouse@usalug.net</a>> 05/13/08 12:44 PM >>><br>
<div><div></div><div class="Wj3C7c">I don't know about that, security through obscurity, maybe a bit, but<br>
still<br>
HIGHLY effective........<br>
<br>
zero vs 100,000 ;)<br>
<br>
QUOTE:<br>
"We also note that all three honeypots used in this study ran a second<br>
SSH<br>
server on a high port, which was used for maintenance and control<br>
purposes.<br>
No malicious login attempts directed at the servers running on these<br>
ports<br>
were observed during the same period that over 100,000 attacks were<br>
observed<br>
on the default SSH port. Asking legitimate users to remember the<br>
non-standard port can be a small inconvenience."<br>
SOURCE: <a href="http://people.clarkson.edu/%7Eowensjp/pubs/leet08.pdf" target="_blank">http://people.clarkson.edu/~owensjp/pubs/leet08.pdf</a><br>
<br>
There are of course many ways to secure ssh more securely than the<br>
default<br>
settings. Disabling root login is always #1 on my list :) Changing the<br>
port number is always #2. Setting allowed users and number of logins<br>
and<br>
allowed IP's help as well.<br>
<br>
Dave Crouse<br>
<br>
<br>
<br>
<br>
On Tue, May 13, 2008 at 12:22 PM, Josh More<br>
<<a href="mailto:morej@alliancetechnologies.net">morej@alliancetechnologies.net</a>><br>
wrote:<br>
<br>
> True, but it doesn't improve security, it just reduces the number of<br>
> random stumblers.<br>
><br>
> I suggest disabling remote SSH login for root and locking down SSH to<br>
> version 2 and key-based access only. I also run DenyHosts to limit<br>
the<br>
> traffic.<br>
><br>
><br>
><br>
> -Josh More, RHCE, CISSP, NCLP, GIAC<br>
> <a href="mailto:morej@alliancetechnologies.net">morej@alliancetechnologies.net</a><br>
> 515-245-7701<br>
><br>
> >>> "Dave Crouse" <<a href="mailto:crouse@usalug.net">crouse@usalug.net</a>> 05/13/08 12:16 PM >>><br>
> I never run ssh on the standard port 22 anymore..... changing the port<br>
> number alone will significantly reduce the number of logged attacks.<br>
><br>
> Dave Crouse<br>
><br>
><br>
><br>
><br>
> On Tue, May 13, 2008 at 11:49 AM, Kendall Bailey <<a href="mailto:krbailey@gmail.com">krbailey@gmail.com</a>><br>
> wrote:<br>
><br>
> > I run an SSH server on port 22 as my only public service. I run the<br>
> > denyhosts daemon to protect against dictionary attacks and lock down<br>
> > SSH pretty thoroughly in other regards, but still allow connection<br>
> > from any host otherwise. The last few days I've seen hundreds of<br>
> > hosts logged by denyhosts. Anyone know why random dictionary<br>
attacks<br>
> > might be spiking? Is it widespread? I'm considering closing that<br>
> > port for a while.<br>
> ><br>
> > Thanks.<br>
> > Kendall<br>
> > _______________________________________________<br>
> > Cialug mailing list<br>
> > <a href="mailto:Cialug@cialug.org">Cialug@cialug.org</a><br>
> > <a href="http://cialug.org/mailman/listinfo/cialug" target="_blank">http://cialug.org/mailman/listinfo/cialug</a><br>
> ><br>
><br>
> _______________________________________________<br>
> Cialug mailing list<br>
> <a href="mailto:Cialug@cialug.org">Cialug@cialug.org</a><br>
> <a href="http://cialug.org/mailman/listinfo/cialug" target="_blank">http://cialug.org/mailman/listinfo/cialug</a><br>
><br>
<br>
_______________________________________________<br>
Cialug mailing list<br>
<a href="mailto:Cialug@cialug.org">Cialug@cialug.org</a><br>
<a href="http://cialug.org/mailman/listinfo/cialug" target="_blank">http://cialug.org/mailman/listinfo/cialug</a><br>
</div></div></blockquote></div><br>