a) SSH scans/probes are very common right now. Accounts with very
bad
passwords may get compromised by these worms. Moving to a non-
standard port
would circumvent this.
Not really. You just disguised the port but any smart attacker will
notice the service running on another port and switch to targeting
that.
...
No, they won't.* You know that almost all (and probably literally all
that this person would encounter in practice) ssh password guessing
attacks are against port 22. Now if someone is targeting *that host,
specifically*, then yes, they may target ssh on its non-standard
port. But nearly, and probably, all scripts and bots out there doing
this will try port 22, and upon not finding it there, will assume the
machine isn't running ssh. Period. Moving ssh to another port, if
someone is so inclined (and no I don't do or recommend this myself;
we use other controls) is a perfectly legitimate measure.
- Dave
* Oh, you said *smart* attacker. 99% (and probably actually much
higher than 99%) of these attacks aren't smart in any way, shape, or
form. Any attack that would notice ssh running on a non-standard port
and then specifically attack it would be a targeted attack, and one
that most here are never likely to encounter. That's not to say
people should use security through obscurity as the ONLY resource;
but security through obscurity as an ADDITIONAL resource to other
smart and responsible security practices is simply another layer.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
