From owner-freebsd-questions@FreeBSD.ORG Sat Oct 22 14:54:49 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C3D91065693 for ; Sat, 22 Oct 2011 14:54:49 +0000 (UTC) (envelope-from freebsd-questions@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id DECBB8FC15 for ; Sat, 22 Oct 2011 14:54:48 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1RHcyE-0008Rz-3G for freebsd-questions@freebsd.org; Sat, 22 Oct 2011 16:54:46 +0200 Received: from pool-173-79-99-96.washdc.fios.verizon.net ([173.79.99.96]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 22 Oct 2011 16:54:46 +0200 Received: from nightrecon by pool-173-79-99-96.washdc.fios.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 22 Oct 2011 16:54:46 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-questions@freebsd.org From: Michael Powell Date: Sat, 22 Oct 2011 10:54:49 -0400 Lines: 52 Message-ID: References: <000001cc90c0$a0c16050$e24420f0$@org> <4EA2CE72.5030202@cran.org.uk> <20111022161242.11803f76.freebsd@edvax.de> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: pool-173-79-99-96.washdc.fios.verizon.net Subject: Re: Breakin attempt X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: nightrecon@hotmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Oct 2011 14:54:49 -0000 Polytropon wrote: > On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote: >> I suspect that these sorts of attacks are fairly normal if you're >> running ssh on the standard port. I used to have lots of 'break-in >> attempts' before I moved the ssh server to a different port. > > Is there _any_ reason why moving from port 22 to something > different is _not_ a solution? > > Reason why I'm asking: Moving SSH away from its default port > seems to be a relatively good solution as break-in attempts > concentrate on default ports. So in case a sysadmin decides > to move SSH to a "hidden" location, what could be an argument > against this decision? > One such relatively minor argument might be the use by external entities for the ability to connect in a standardized way. Such a client may need to connect but has no way of knowing in advance what port to use. The only readily available means for them to locate you might be DNS, with them only knowing you by hostname. I tend to discount this as they would still need some form of auth, whether a user account/password combination or a certificate. In either case, this needs to be configured in advance - so there's no reason a port number couldn't be included when communicating how to login to the third party. There is also some remote possibility that the third party has some internal (albeit brain-dead) policy of mandating the use of some software that cannot be configured to use a port other than 22. I would consider such a software to be inherently 'broken by design', and not a good enough reason for me to 'break' my system just to make them happy. After all, aren't they the ones who want to connect to me and shouldn't the responsibility be on them to do it in accordance with what I have configured? I restrict any SSH access to my systems to certificate only, with password turned off. Only a trusted few will have these certificates, and these people will know what port to use because I told them. Just changing the port to some high number non well-known will not entirely stop a port scan if said scan is walking up every single port one after another. But simply changing it to something like 42347 works wonders for knocking down about 90% of script-kiddies. I just don't see SSH as the best tool for giving anonymous remote-access to the general public of the IntarWebZ in general. If access is not anonymous there must be some admin config done previous to the access. Providing anonymous access via SSH sort of defeats the purpose for using SSH in the first place. :-) Just my $.02 - Mike