1 |
Longman, Bill wrote: |
2 |
>> I've seen many recommendations for port knocking, but I feel that's |
3 |
>> unnecessarily complex when compared to simply changing the port sshd |
4 |
>> listens on. While the use of port knocking no doubt further decreases |
5 |
>> your exposure over an alternate sshd port, the difference is only a |
6 |
>> small percentage of the benefit you receive from moving away from port |
7 |
>> 22 in the first place. |
8 |
> |
9 |
> I've moved most of my public SSH ports off 22 because it reduces by |
10 |
> thousandfolds the script kiddies playing with their toys and filling my logs |
11 |
> and pipes. There is no more efficient means that will give you such returns |
12 |
> with such little effort. |
13 |
> |
14 |
> I only wish I'd done it sooner. Yeah, you'll still get port scanned and |
15 |
> someone will snoop around, but that's not in the face of the storm on port |
16 |
> 22. |
17 |
|
18 |
Actually, if you apply RSA/DSA key-authentication the only thing that |
19 |
you are going to protect is your bandwidth, no script or (known) exploit |
20 |
is going to crack your openssh daemon that way. |
21 |
|
22 |
I really don't worry about script kiddies hacking my computer via |
23 |
openssh-brute force. As long as it requires keys for entrance. |
24 |
|
25 |
The problem is the 'targeted hacking' and I believe that you should be |
26 |
worried about that scenario much more. |
27 |
|
28 |
After all, even if some kid breaks in (probably using a buggy php |
29 |
program that you run on the server), it's highly unlikely that he will |
30 |
manage to bypass a 'hardened' box running a security model (pax + |
31 |
rsbac/selinux/grsec). |
32 |
|
33 |
It will take a 'Wizard' to bypass that level of security. |
34 |
|
35 |
And if this is the case, make sure your setup is correct till the last |
36 |
file and pray :-) |
37 |
-- |
38 |
gentoo-hardened@g.o mailing list |