SSH hacked?

[Smoot Carl-Mitchell]

On Mon, 2009-01-12 at 18:59 -0800, NoOp wrote:


> Do a simple test; put up a machine on a naked dsl modem (no router or
> denyhosts) for a few days and check the auth.log to see how many
> dictionary attack attempts are attempted on 22.

I have had my server with a listening port 22 open for years seeing very
little dictionary attack activity and have never been hacked.  I suppose
this is because I am careful with my passwords and use strong key
authentication.  I found moving the SSH port a bit of a distraction,
since I use SSH in my professional work as a consultant on many systems
and trying to remember any alternate port was just not worth the
trouble.  Empirically, I have found my security has not been compromised
by running SSH on port 22.

With that said, I do run iptables and do limit connection rates and will
blacklist IPs which try to either engage in dictionary or DOS types of
attacks.  I also turn off password logins and require strong
public/private key authentication.

It cannot hurt anything to move SSH to an alternate port, but if you do,
use something in the port range 49152 through 65535 which is the IANA
private/dynamic port range.  See:

http://www.iana.org/assignments/port-numbers

Also be aware that software which depends on SSH listening on port 22
will break if you move the service to another port.  For example running
rsync with SSH as the underlying transport protocol will break on a host
with SSH moved to another port.  You could mitigate this by moving
the /etc/services definition of SSH to the other port, but updates
to /etc/services might be cumbersome.

-- 
Smoot Carl-Mitchell
Computer Systems and
Network Consultant
smoot at tic.com
+1 480 922 7313
cell: +1 602 421 9005