Hey,
I've been reading up, and talking up, various security
strategies. One thing
that is striking to me in looking at logs for my servers are the endless ssh
probes that go on. It appears to be one of the most common. Up till recently,
I had dealt with this by using firewall rules to allow ssh access only to
selected ip addresses - to all others, the port appears closed (I checked
this with port scans). Now, I must change strategies. I need to give access
to an associate who gets his dsl ip address via dhcp, so it's always
changing. I'm not quite ready to try port knocking, so, the other suggestion
I read over and over is to provide ssh on a non-standard port. So, I throw
this out to the collective experience - what's your take on that strategy?
Won't simple scans reveal the existence of ssh access on a non-standard port?
Is this really much protection? Is it merely a question of reducing odds?
Here I use a combination of strategies:
- Run SSHD on a non-standard port
- Do not allow Root Logins
PermitRootLogins no
- Use AllowUsers to restrict which user can login
AllowUser user1 user2 user3(a)host.something.com
- Use strong passwords
- Use a program to ask something to the user who logs in.
Yes, a simple scan will reveal that you're running ssh on a
non-standard port, but you'll not be knocked by the automated bot
scans who use the default ssh port. These bot scans are responsible
for about to 99% of those attempts you're seeing.
After those changes I see no attempts on my logs anymore.
--
Regards,
Alejandro Flores
http://www.triforsec.com.br/