[ubuntu-uk] SSH question
Stephen Hildrey
steve at uptime.org.uk
Sat Jan 12 17:34:48 GMT 2008
Tom Bamford wrote:
> I don't bother changing the server port for sshd, it's security
> through obscurity.
There's nothing wrong with using obscurity to achieve enhanced defence
in depth; running ssh on a non-standard port raises the bar enough to
thwart most automated, background noise brute-force attacks.
Sure, if somebody is determined to attack you specifically, they'll find
the non-standard SSH port eventually, but if you're worried about
targeted exploitation attempts on your machines then you'll make sure
you're also running firewalls, tcp wrappers and AllowUsers/AllowGroups.
> there's no way they'll get in unless you have a seriously crap
> password.
That's a great strategy until the next time we see something like these:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0693
and the masses start writing scripts to find boxes running vulnerable
SSH daemons. Guess which port they'll try to connect to?
Cheers,
Steve
More information about the ubuntu-uk
mailing list