On 10/26/2009 07:41 PM, Michael Kress wrote: > ML wrote: > >> So I added Port 2977 Under Host * >> >> So I have: >> Host * >> Port 2977 >> >> > Never post your real port number here. Otherwise you don't need to hide > it from the public. Right? ;-) > I'm not sure if this is a serious security suggestion, or a joke. (If it's a joke, sorry I missed the boat.) This is probably going to look like a troll, but I really do feel sorry for anyone who takes this kind of suggestion seriously. Whatever alternate SSH port number you select is NOT a secret, and you have a false impression of security if you think of it as a secret. Thinking that "My system is more secure because I run SSH on an alternate port" is just fooling yourself. If you're already taking appropriate precautions elsewhere, then changing the port number is really just a convenience/preference, to make your logs a little less noisy. Security-wise, it's window dressing, and it'll really only present a problem for the laziest attackers or bots. Your secret SSH port number is only a secret for about as long as it takes for a wide port scan to run. (And unless you've implemented IP-level rate-limiting on a per-remote-source-IP basis, that's a much shorter time than you think.) Moving the SSH port will help cut down on the rate at which dictionary bots (account/password guessers) will hit you up. But do those dictionary bots really pose a security threat to you? Maybe, if your SSH server isn't patched and up-to-date, or if you haven't audited/locked your local accounts, or if you don't enforce strong passwords or keys-only logins. If it's really that important that you cut the rate down, the iptables 'recent' module is a fantastic tool. Combined with some whitelisting, you can really cut the noise down, without inconveniencing yourself at all. If you find 'iptables' too intimidating, there are a few log-watching scripts that will dynamically block source IPs on-the-fly as the remote IPs roll into '/var/log/secure'. (I'm just going to apologize now to anybody I've offended, if it means anything--this is just one guy's opinion on the Internet, after all.) -Ryan _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos