a) SSH scans/probes are very common right now. Accounts with very bad
passwords may get compromised by these worms. Moving to a non-standard port
would circumvent this.
Not really. You just disguised the port but any smart attacker will
notice the service running on another port and switch to targeting
that.
...
No, they won't.* You know that almost all (and probably literally
all that this person would encounter in practice) ssh password
guessing attacks are against port 22. Now if someone is targeting
*that host, specifically*, then yes, they may target ssh on its
non-standard port. But nearly, and probably, all scripts and bots
out there doing this will try port 22, and upon not finding it
there, will assume the machine isn't running ssh. Period. Moving ssh
to another port, if someone is so inclined (and no I don't do or
recommend this myself; we use other controls) is a perfectly
legitimate measure.
- Dave
* Oh, you said *smart* attacker. 99% (and probably actually much
higher than 99%) of these attacks aren't smart in any way, shape, or
form. Any attack that would notice ssh running on a non-standard
port and then specifically attack it would be a targeted attack, and
one that most here are never likely to encounter. That's not to say
people should use security through obscurity as the ONLY resource;
but security through obscurity as an ADDITIONAL resource to other
smart and responsible security practices is simply another layer.
When discussing security risks, as I thought we were, and when asking
about the risks of running a service, on whatever port, the
presumption is generally that we're discussing all the risks, not
just those from lame bots. Security and risk assessments need to
focus not just on the probable attacks, but the possible attacks.
So while the majority of attacks may be lame ones, easily fooled, I
know you're not suggesting that these are the only ones you need to
be concerned about.
--
-dhan
------------------------------------------------------------------------
Dan Shoop AIM: iWiring
Systems & Networks Architect http://www.ustsvs.com/
email@hidden http://www.iwiring.net/
1-714-363-1174
"The wise man doesn't give the right answers, he poses the right
questions." -- Claude Levi-Strauss
iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
