Re: google cloud compute with PEM file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, May 18, 2016 at 03:25:11AM +0100, Always Learning wrote:
> On Tue, 2016-05-17 at 20:12 -0400, Jonathan Billings wrote:
> > If you’re going to change the port, change it to something <1024.  You don’t want to have sshd running on a port that a non-root user can bind to.
> 
> But if, as I suggested, the enquirer restricts access to that port to
> his own IP, access attempts from other IPs will fail. Ports > 1024 can
> be accessed by authorised non-root users using the authorised
> originating IP whilst preventing access from all other IPs.

That's not the point.  If you bind to a port > 1024, then if your
non root account is compromised (or some other non-root account), then
it can start up a trojaned sshd on that port.

As others have said, might as well keep it on port 22, and just block
connections from any network but what you trust.  Make sure you
keep your packages up to date and run SELinux enabled.

-- 
Jonathan Billings <billings@xxxxxxxxxx>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux