Author: Dan
Date: 31-01-07 17:25
alive wrote:
> Putting sshd on a "higher port" is security through obscurity.
You say that as if it is a bad thing.
> Brute-force bots try a limited set of usernames, and should
> therefore in practice not be feared by a sensible admin.
>
> Through this, we can conclude that if someone actually, really,
> wanted to break in to *your* server, changing the port of your
> sshd is not going to hinder them one least bit. The first thing
> a hacker ever does to a server is to probe for open ports using
> nmap.
None of which I contradict.
ssh on port 22 is tightly restricted with respect to who can talk to it. ssh on the other port is not. Anyone can talk to it. By moving it to another port, the number of door-knockers has dropped considerably.
This isn't to stop or deter the determined. It is to get rid of the script kiddies.
> However, I do believe that only allowing ssh key logins is a
> good part of the solution: Passwords are insecure.
Gee, thanks! I'm glad I wasn't wasting my time. ;)
> For everybody else, I would suggest to either disable password
> authentication on their sshd, or download DenyHosts (It's in
> the ports, and on denyhosts.sf.net)
I would welcome an article from you on DenyHosts.
--
Webmaster
|
|
