[SATLUG] Re: Questions about home server security: non-standard ports

Paul Elliott pelliott at blackpatchpanel.com
Sat Feb 16 01:08:11 CST 2013


On Fri, Feb 15, 2013 at 03:04:20PM -0600, Don Davis wrote:
> Yes. It's worth doing. By moving to a non-standard port you'll make
> yourself less susceptible to the thousands of script kiddies cluelessly
> running whatever scripts they found wherever.
> 
> For all this discussion, you might find it worthwhile to set ports 22,
> 80, 443, 8080, 25 as tar pits.
> 
> If you move ssh to port 443, it'll look like https traffic.
> 

This is security by obscurity, a discredited security technique.

How long has it been since a genuine ssh exploit has been
found to work against protocol 2, password disabled, and a 
strong pass phrase?

A guessable pass phrase or a unconsidered account is a much
greater risk.

Better solution: disable protocol 1 and password.

use "AllowUsers" to specify an explicit list of users allowed
to log on. Then for each and every one of those users, verify
reasonably long pass phrase with no references to popular culture
or personal history. And that it has not been shared with anyone.

my AllowUsers specify one user, me. And the pass phrase is long and
does not reference popular culture or personal or family history. There
is no chance any one would guess or "research" it.

I often see in the log people trying to log on to root account.
Little do they know the root account would not let them log on
even if they knew the password.

I do not worry about ssh exploits.

-- 
Paul Elliott                               1(512)837-1096
pelliott at BlackPatchPanel.com               PMB 181, 11900 Metric Blvd Suite J
http://www.free.blackpatchpanel.com/pme/   Austin TX 78758-3117
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://www.satlug.org/pipermail/satlug/attachments/20130216/2d6cd3d4/attachment.bin


More information about the SATLUG mailing list