[kwlug-disc] Tightening up SSH

Andrew Kohlsmith (mailing lists account) aklists at mixdown.ca
Tue Jul 20 10:10:47 EDT 2010 

On Monday, July 19, 2010 10:41:35 pm unsolicited wrote:
> Darcy Casselman wrote, On 07/19/2010 9:12 AM:
> > Along with previous suggestions, I'd recommend switching to a
> > non-standard port.  It's not really security against a determined
> > attacker, but it cuts out 99.99% of the random Internet drive-bys.
> 
> Could you tell me the source of this statistic please?

Darcy claims he made it up, but I can back it up with my own experience too.  
And yes, I do know that the plural of "anecdote" is not "evidence". :-)

Let's step back for a moment though and look at what's going on.

There are a bunch of internet worms out there doing "internet drive by" 
attacks looking for open ssh ports, and if something is found, launching a 
dictionary attack against them with common usernames.

This isn't an "attack" any more than a bird flying overhead managing to poop on 
your head is an attack. There's no intelligence behind this.

(Ok, maybe it's slightly more of an attack than the example I gave, since the 
bird isn't flying overhead looking for bald spots (I hope!), but you get my 
drift.)

Again, you are not being targeted. Moving to a non-standard port eliminates 
your logs filling up with this crap. I don't think anyone is saying that this 
is a means to increase security, although I would argue that obscurity is a 
valid additional layer to a properly executed security regimen.

> Changing the port number probably impacts, and irritates, you more
> than anyone else. Particularly with a properly secured port - as the
> poster is in the process of ensuring.

I agree; this is why I don't move my ssh off of the standard port.  I put up 
with the crapflooding, particularly because a) I know nobody's getting in 
through ssh and b) I never check my logs for ssh attacks anyway.

I did play around with "knocking" for a while but it irritated me as well 
because I would continually forget the knock code. One of my friends lives for 
tcpwrappers, but this infuriates me because the only time I usually need to 
get in to his systems are when I'm somewhere away from home, and having to 
bounce in through my dedicated box is an extra step I really dislike.

I know that if someone's going to compromise my system they'll get in through 
something OTHER than ssh; I'm not going to post guards at my door when I know 
I've got much easier to infiltrate windows around back.

-A.

More information about the kwlug-disc mailing list