On Sat, Mar 17, 2007 at 02:12:12PM -0700, Joseph Sinclair wrote:
> To Hans excellent instructions I would add that it's generally a good idea to run
> SSH on a non-standard external port (say 43722). Port 22 is a well-known port, so it's
> often the target of port scanning attacks, while high-range ports (above 33000) are
> expensive enough to randomly scan that they're rarely examined by attackers.
>
> To Whit:
> The port forward would look something like forward port (48522) on WAN to port (22) host (192.168.204.149) on LAN
> If your particular Linksys won't allow the port translation, just run the SSH daemon on port 48522 on the LAN box,
> either way it takes your external connection off of port 22 and into a slightly safer region.
And to Joseph's excellent intructions I'd like to add that all changing
ports does for you is save a bit of writing to log files. Such things as
changing ports is known as "security through obscurity" and it doesn't
really help with security at all.
Keeping your ssh patched, using secure passwords, using PK
authentication, turning off unused authentication methods in your
config: these things make you more secure.
Moving to a different port will save you the slight hassle of having
script kiddies scan you all the time, but if you have ssh open on a high
port someone *will* find you eventually, and if you haven't patched, or
are using an inane password, then they *will* root your box. It may be 4
years down the road, but it will happen.
--
Darrin Chandler | Phoenix BSD Users Group
dwchandler@stilyagin.com | http://bsd.phoenix.az.us/
http://www.stilyagin.com/darrin/ |
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss