ssh Access from the internet

CLIFFORD ILKAY clifford_ilkay-biY6FKoJMRdBDgjK7y7TUQ at public.gmane.org
Tue May 13 14:13:58 UTC 2008


Robert Brockway wrote:
> Hi Ansar.  As others have noted allowing only PKI authentication (ie, 
> disabling password access) is an effective approach.  I never allow 
> password access to ssh from public IP addresses - brute force attacks 
> cannot succeed.
> 
> This way you are safe unless there is a serious security exploit in 
> OpenSSH itself, and it is quite likely the most highly audited app on 
> your Linux box.
> 
> I am totally against changing ports to avoid an attack.  Changing the 
> port is a form of security through obscurity and can also make it 
> impossible for you to connect from certain locations as many 
> organisations restrict outbound port connections.  Eg, they may allow 
> outbound 22 as they know it is ssh but not outbound 2222 or whatever.
>
> Changing port numbers as a means to avoid attacks is also not a scalable 
> solution and philosophically I disagree with this approach on this 
> basis. Or to put it another way: if everyone did this the Internet would 
> break.
> 
> Approaches such as the use of a firewall to restrict source addresses 
> are also good but less important if you are using PKI authentication only.

This sounds very much like a repeat of a discussion we had here some 
months ago. I respectfully disagree that changing ports is a bad thing 
and reject the notion that the Internet would break as a result. Yes, 
it's security through obscurity and no, I don't care. The idea isn't 
just to thwart potential attacks but to make it more difficult for what 
are obviously scripted attacks on port 22. Changing to some other port 
all but eliminates joe job attacks. It is very easy to work around port 
blocking restrictions by using ssh port forwarding.

By the way, key-based authentication isn't always possible. FreeNX, for 
example, or at least the older version I have running, doesn't work 
unless password auth is also enabled.
-- 
Regards,

Clifford Ilkay
Dinamis Corporation
1419-3266 Yonge St.
Toronto, ON
Canada  M4N 3P6

<http://dinamis.com>
+1 416-410-3326
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list