Date: Tue, 25 Aug 2015 16:35:04 +0200 From: Polytropon <freebsd@edvax.de> To: Matt Smith <fbsd@xtaz.co.uk> Cc: Reko Turja <reko.turja@liukuma.net>, freebsd-questions@freebsd.org, Jaime Kikpole <jkikpole@cairodurham.org> Subject: Re: Blocking SSH access based on bad logins? Message-ID: <20150825163504.f59dc375.freebsd@edvax.de> In-Reply-To: <20150825135258.GA1330@xtaz.uk> References: <CA%2Bsg5RRppb8-paYnYtL8UMnSfP0ebzUwtM4LLNGayudCwXpyag@mail.gmail.com> <22DC19936F1E477D981FCB31FD51375E@Rivendell> <20150825135258.GA1330@xtaz.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Aug 2015 14:52:58 +0100, Matt Smith wrote: > On Aug 25 16:29, Reko Turja wrote: > >IMO switching SSH port is security by obscurity, determined attacker > >will eventually find the altered port if so inclined. > > I agree that it is security by obscurity but when I ran SSH on port 22 > it was syslogging at least several hundred login attempts every day, > currently I run it on port 422 and it's never had one single login > attempt that wasn't myself. You could say that changing the SSH port is "reducing line noise". A hacker can always run a port scan and find out what port you're actually running SSH on. But most "wide range attacks", usually run from fleets of zombie "Windows" PCs, do not do this. Sophisti- cated attackers _will_ do it. So it's not really an obstacle. > Obviously you have to make sure it's also > secure regardless which I do by requiring that the login is either with > a key, or if with a password it also requires a one-time-password 6 > digit code read from an app on my phone. "Having been moved" and "being secure" are two totally different categories. Never confuse. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150825163504.f59dc375.freebsd>