Arthur Corliss said, on 07/25/2010 05:49 PM:
> I do run ssh on the normal ports myself, and have seen little value in
> security by obscurity.
While I treat my alternate-port services exactly like I would their
default counterparts, I have found one significant benefit: fewer hits,
which means simpler logs.
> In a nutshell, everyone running a publically exposed
> host should be doing the following things:
All good stuff. I'd been lazy about requiring a specific group; fixed.
Thanks for the nudge!
I also practice "default deny": I firewall SSH to limit incoming
connections to only those networks that I usually come from (or a hop or
two away, allowing IPs on a couple of shell servers). This drastically
reduces attempts, and reduces log clutter, but it requires advance
planning if you want access from somewhere else. (I've been meaning to
look into port knocking, but haven't gotten a Round Tuit yet).
When somebody gets past all of the above, they stand out like a sore
thumb. Of course, good reporting covers that ... but with the setup I
have above, I can get alerted in realtime in addition to the nightly
report. This buys me a Warm Fuzzy.
Once more scanning starts happening on alternate ports, and once it
comes more often from the networks that I am usually on, the luxury of
real-time alerts will go away. For now, it works well.
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sun Jul 25 18:24:02 2010
This archive was generated by hypermail 2.1.8 : Sun Jul 25 2010 - 18:24:02 AKDT