Robert Brockway <rob...@timetraveller.org> wrote: > Yes it would keep logs a bit cleaner. I've never[1] changed the ssh port > on any host and never been terribly worried about the state of the logs as > a result.
I tend to take a different view: if I can get rid of "rubbish" from the logs then it makes it easier for a log scanner (or me) to see potentially important issues - there's less potential for a false positive. > Changing the port is only really viable for home servers. It can't > reliably be done on any service used by a lot of people anymore than you > can do this for any other service. At work we run public ssh service on one tightly controlled system. Actually, that system is configured to use certificate based login, and the only thing that such accounts can run is sftp. We also use IP based ACLs within the ssh configuration to help ensure that internal system accounts cannot be used to login to this box from outside the network. This is on port 22, although given the amount of hassle we've had getting our customers to use sftp instead of FTP, it would have been only a miniscule incremental change to insist on a different port. At home I run ssh on a different port (again with a certain amount of lock-down). The difference here is that there is no 24x7 IT Services group to monitor suspicious activity: there's only me. > The idea of changing the port number for SSH seems to stem from the idea > that SSH is somehow more dangerous to run than another service and so > needs special treatment. In a skript kiddy world it is more "dangerous" as successful login does lead to a shell. You are right in that unpatched faulty services can also lead to a compromise, which is why a public facing system should run as few of them as possible. > Most Linux systems will be using OpenSSH which comes from the OpenBSD > project. It is likely the best audited code on many Linux systems and is > thus likely to be less of a threat to system security than running many > other services. Er, the Debian ssh flaw from a very few years ago still occasionally gets thrown at me, as part of some "eeww, you run Linux, don't you" FUD. > [1] I've been using SSH since 1996 or 1997. Snap :-) Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/9btd98xu74....@news.roaima.co.uk
