ssh Access from the internet
Robert Brockway
robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org
Tue May 13 13:54:42 UTC 2008
On Mon, 12 May 2008, Ansar Mohammed wrote:
> I am getting increasingly annoyed with the random bots brute forcing ssh on
> my public IPs. What do you guys use?
Hi Ansar. As others have noted allowing only PKI authentication (ie,
disabling password access) is an effective approach. I never allow
password access to ssh from public IP addresses - brute force attacks
cannot succeed.
This way you are safe unless there is a serious security exploit in
OpenSSH itself, and it is quite likely the most highly audited app on your
Linux box.
I am totally against changing ports to avoid an attack. Changing the port
is a form of security through obscurity and can also make it impossible
for you to connect from certain locations as many organisations restrict
outbound port connections. Eg, they may allow outbound 22 as they know it
is ssh but not outbound 2222 or whatever.
Changing port numbers as a means to avoid attacks is also not a scalable
solution and philosophically I disagree with this approach on this basis.
Or to put it another way: if everyone did this the Internet would break.
Approaches such as the use of a firewall to restrict source addresses are
also good but less important if you are using PKI authentication only.
Cheers,
Rob
--
"With sufficient thrust, pigs fly just fine..."
-- RFC 1925 "The Twelve Networking Truths"
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list