On Wed 10 Oct 2012 at 19:44:27 +0100, Joe wrote: [Some good advice snipped]
> However you resolve the initial problem, the ssh server is very heavily > targeted by the bad guys, using password checking bots. A quick and > dirty security measure is to forward a non-standard high numbered > external TCP port to <laptop>:22 (nearly all routers should be able to > do that) or to forward it to the same port of the laptop, and > reconfigure the ssh server to listen on that port (the Port xxx line(s) > in /etc/sshd_config). Remember to restart the ssh server if you need to > do this. > > Six people will now leap in and say that's not going to improve > security, all the bad guys have to do is run a portscan to find your > server. However, scanning 65,000 ports of the same IP address across > the Internet is no small undertaking, and will certainly attract > attention, and I've never yet seen a bot attempt it. I don't get *any* > connection attempts to my ssh port, while 22 gets 10-100 a day. What you say about putting sshd of a port other than 22 is undoubtfully correct. It gives peace of mind, a sense of combating the baddies, less cruft in the logs and a reason to proselytise. What it doesn't give is a more secure sshd. Not a single iota of security is gained with the technique you advocate. Five to go. > The long-term solution is to disable passwords and use public-private > key pairs for authentication, which is not really difficult, but is > not for a complete beginner, and can certainly not be tried until you > have the system working reliably on passwords. A quick Google for ssh > public key tutorial turns up a vast number of sites to help with this. If there was a security problem key-based authentification might provide a solution. There isn't, so it doesn't. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121010230100.GK30872@desktop
