| 1 |
Longman, Bill wrote: |
| 2 |
>> I've seen many recommendations for port knocking, but I feel that's |
| 3 |
>> unnecessarily complex when compared to simply changing the port sshd |
| 4 |
>> listens on. While the use of port knocking no doubt further decreases |
| 5 |
>> your exposure over an alternate sshd port, the difference is only a |
| 6 |
>> small percentage of the benefit you receive from moving away from port |
| 7 |
>> 22 in the first place. |
| 8 |
> |
| 9 |
> I've moved most of my public SSH ports off 22 because it reduces by |
| 10 |
> thousandfolds the script kiddies playing with their toys and filling my logs |
| 11 |
> and pipes. There is no more efficient means that will give you such returns |
| 12 |
> with such little effort. |
| 13 |
> |
| 14 |
> I only wish I'd done it sooner. Yeah, you'll still get port scanned and |
| 15 |
> someone will snoop around, but that's not in the face of the storm on port |
| 16 |
> 22. |
| 17 |
|
| 18 |
Actually, if you apply RSA/DSA key-authentication the only thing that |
| 19 |
you are going to protect is your bandwidth, no script or (known) exploit |
| 20 |
is going to crack your openssh daemon that way. |
| 21 |
|
| 22 |
I really don't worry about script kiddies hacking my computer via |
| 23 |
openssh-brute force. As long as it requires keys for entrance. |
| 24 |
|
| 25 |
The problem is the 'targeted hacking' and I believe that you should be |
| 26 |
worried about that scenario much more. |
| 27 |
|
| 28 |
After all, even if some kid breaks in (probably using a buggy php |
| 29 |
program that you run on the server), it's highly unlikely that he will |
| 30 |
manage to bypass a 'hardened' box running a security model (pax + |
| 31 |
rsbac/selinux/grsec). |
| 32 |
|
| 33 |
It will take a 'Wizard' to bypass that level of security. |
| 34 |
|
| 35 |
And if this is the case, make sure your setup is correct till the last |
| 36 |
file and pray :-) |
| 37 |
-- |
| 38 |
gentoo-hardened@g.o mailing list |
Archives