[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Interesting article on this subject here: https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/ On 10 February 2015 at 09:32, Simon Waters <simon@xxxxxxxxxxxxxx> wrote: > The issue with the default SSH config in most distros is it is; anyone > anywhere, to any user, any number of times. > > I usually whitelist users (to the ones where I choose the passwords) > I usually restrict access to IP addresses I control. > Where I don't restrict access I apply a second factor (TOTP). > I either fail2ban or log attempts (and read the logs). > > I don't change port, I don't always stop root login, I don't always insist > on just keys. > > There are multiple ways to harden SSH, restricting which IPs, or which > users, or how many times, all help limit the success of brute force attacks. > Using keys or strong passwords also stopped more targeted attacks when the > IP can be spoofed and where obscuring the port no longer help. > > As such I see nothing wrong with changing the port other than it is annoying > to always specify it, but whilst it might reduce the chance of brute force > success, it shouldn't be reducing it significantly. > > > -- > The Mailing List for the Devon & Cornwall LUG > http://mailman.dclug.org.uk/listinfo/list > FAQ: http://www.dcglug.org.uk/listfaq -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq