On Wed, 23 Sep 2015, James B. Byrne wrote:
Moving the port by itself still opens a functioning connection to the internet on a service that is inherently susceptible to brute force and rainbow attacks. The 'dangerous' people on the Internet will find this port in a heartbeat and they are far more worrisome than the script-kiddies. Since you absolutely must build a defence against these opponents anyway then you might as well leave the service on the default port to avoid screwing up legitimate users expectations.
Without disagreeing with the underlying assessment that SSH should be configured securely regardless of the port to which it's bound, my empirical findings are that few find the alternate port, and they certainly don't do it "in a heartbeat."
In fact, rooting out casual ssh port scans gives you a much better sense of who the 'dangerous' people really are. When you see failed logins in /var/log/secure, you're less likely to write them off as the price of being on the Internet and more likely to see them as a real threat.
Legitmate users aren't really an issue. If you give them access, then it's easy to tell them they need a stanza in ~/.ssh/config:
Host *.mydomain Port NNNN [... etc ...]Again, this isn't a workaround for a sloppy ssh configuration, but I do think it has some value.
-- Paul Heinlein heinlein@xxxxxxxxxx 45°38' N, 122°6' W
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos