Re: newbie question on port forwarding(and ssh, netcat)
On Wed 10 Oct 2012 at 19:44:27 +0100, Joe wrote:
[Some good advice snipped]
> However you resolve the initial problem, the ssh server is very heavily
> targeted by the bad guys, using password checking bots. A quick and
> dirty security measure is to forward a non-standard high numbered
> external TCP port to <laptop>:22 (nearly all routers should be able to
> do that) or to forward it to the same port of the laptop, and
> reconfigure the ssh server to listen on that port (the Port xxx line(s)
> in /etc/sshd_config). Remember to restart the ssh server if you need to
> do this.
>
> Six people will now leap in and say that's not going to improve
> security, all the bad guys have to do is run a portscan to find your
> server. However, scanning 65,000 ports of the same IP address across
> the Internet is no small undertaking, and will certainly attract
> attention, and I've never yet seen a bot attempt it. I don't get *any*
> connection attempts to my ssh port, while 22 gets 10-100 a day.
What you say about putting sshd of a port other than 22 is undoubtfully
correct. It gives peace of mind, a sense of combating the baddies, less
cruft in the logs and a reason to proselytise. What it doesn't give is a
more secure sshd. Not a single iota of security is gained with the
technique you advocate.
Five to go.
> The long-term solution is to disable passwords and use public-private
> key pairs for authentication, which is not really difficult, but is
> not for a complete beginner, and can certainly not be tried until you
> have the system working reliably on passwords. A quick Google for ssh
> public key tutorial turns up a vast number of sites to help with this.
If there was a security problem key-based authentification might provide
a solution. There isn't, so it doesn't.
Reply to: