[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 09/02/15 20:00, Simon Avery wrote: > I've mentioned this a few times already and I still think it's one of > the most basic and effective things you can and should do if you have a > linux server exposed to the internet, yet one of the most overlooked. Oh no, not this again... I'm afraid I'm going to have to (respectfully) disagree with you on this: let me explain. Firstly this is stupid because it's security through obscurity, thus an a priori failure immediately. I do actually have thousands of linux boxes out there on internet and they all listen on 22 for SSH, just like god and the RFC intended. And I have no problems, largely because I follow your very own great suggestions which is all that is needed to make it a non-issue. I'll repeat them here, slightly edited, because they're good advice: Recommendations from a one day sample: - Move ssh off port 22. (NO NO NO NO NO) - Disable root user logins on ssh. - Restrict to key logins (no interactive password logins ever) - Use fail2ban (or anything else like IDS, iptables, denyhosts, etc) with a long timeout. - Lock down your sshd config file properly And that's it, no drama. Lame automated botnet scans can continue bouncing off my network all day long and I couldn't care less. And as for logging, well, disk space is plentiful and cheap and I love logs, the more the merrier. They all get sent to a centralised rsyslog server by the tens of thousands which I can then make pretty graphs out of for the pointy haired ones and mine for more abusive IP blocks for my IDS to automatically permban. None of my servers - and many of them are pretty small embedded platforms serving as network gateways and access points for customers so are getting battered with traffic non-stop already - show any significant load increase just for dealing with some botnet scanning. The most stupid thing about this is the botnet scans will find your random SSH port before too long, and then your IP and SSH port go into their database and now everyone in China knows your secret. So what are you going to do? Change it again? That's going to get really annoying really quickly. I also don't fancy maintaining a massive lookup table to keep track of which random port SSH is running on each of my thousands of servers in the wild. By your logic, now you're getting http probes you're surely going to move apache to start serving on some random port? No, I didn't think so! Leave SSH where it is on 22: it's there for a reason. Toodles -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq