Re: ssh doesn't work.

To: Debian Users ML <debian-user@lists.debian.org>
Subject: Re: ssh doesn't work.
From: Henning Follmann <hfollmann@itcfollmann.com>
Date: Wed, 7 Dec 2016 14:28:16 -0500
Message-id: <[🔎] 20161207192816.GA8996@smallapple.itcfollmann.com>
Mail-followup-to: Debian Users ML <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20161207184934.GV28989@eeg.ccf.org>
References: <[🔎] CAP6JtwjnYtX+CC-_f2eGOsNdO99T_sErvoODKTLZC54MaZeGJQ@mail.gmail.com> <[🔎] 20161206062205.GZ21587@bitfolk.com> <[🔎] CAP6JtwjW5pcU5FBO-Hs+F0boD5F8fzKEMp4PJ3EmnRTbYhN9UA@mail.gmail.com> <[🔎] 20161207160724.GA7410@smallapple.itcfollmann.com> <[🔎] CAP6JtwhWNbky===Q1mwB22ZA+WC3WZrq_ZosQR9WS7yhqUShXg@mail.gmail.com> <[🔎] 20161207182323.GA8703@smallapple.itcfollmann.com> <[🔎] 20161207184934.GV28989@eeg.ccf.org>

On Wed, Dec 07, 2016 at 01:49:34PM -0500, Greg Wooledge wrote:
> On Wed, Dec 07, 2016 at 01:23:23PM -0500, Henning Follmann wrote:
> > Also changing the port to a nonstandard port is not a safety measure. Not a
> > reasonable at least. Unless there is some sane reason (like the network
> > operator prevents using port 22) keep it!
> 
> I disagree with this.  Changing the port at least decreases the number
> of brute force attacks against you, which saves resources (bandwidth, CPU)
> that are otherwise wasted by the attackers.
> 
This is security by obscurity, which has some serious issues.
First it hides obvious issues. If you see high traffic on port 9999 noone
in the NOC knows what that is. If it is on port 22 they know it's ssh.

Also have a sensible plan in place (and the documentation with it).
So if I have admins in the US and in Germany, I only let ip from that
origin connect to port 22.

And also IDS (e.g. fail2ban) help you cutting those waste cpu cycles down.

And the best part about this, any issue will be obvious. And  obscurity
is the enemy of security.


> I understand that you mean "it will not stop a dedicated professional
> attacker who really, really wants to get into your computer".  And that's
> true.  But it does help against the random script kiddies and attacks of
> opportunity.
> 

And to protect against the "professionals" allow only pk authentication
when the service is on any public network.

-H


-- 
Henning Follmann           | hfollmann@itcfollmann.com

Reply to:

References:
- ssh doesn't work.
  - From: EenyMeenyMinyMoa <eenymeenyminymoa@gmail.com>
- Re: ssh doesn't work.
  - From: Andy Smith <andy@strugglers.net>
- Re: ssh doesn't work.
  - From: EenyMeenyMinyMoa <eenymeenyminymoa@gmail.com>
- Re: ssh doesn't work.
  - From: Henning Follmann <hfollmann@itcfollmann.com>
- Re: ssh doesn't work.
  - From: EenyMeenyMinyMoa <eenymeenyminymoa@gmail.com>
- Re: ssh doesn't work.
  - From: Henning Follmann <hfollmann@itcfollmann.com>
- Re: ssh doesn't work.
  - From: Greg Wooledge <wooledg@eeg.ccf.org>

Prev by Date: Re: ssh doesn't work.
Next by Date: Re: "command not found"
Previous by thread: Re: ssh doesn't work.
Next by thread: Re: ssh doesn't work.
Index(es):
- Date
- Thread