stroke <address> 1 32000 says moving the port is a minor inconvenience
unless you're dealing with an idiot. All you do is keep beating on
every
open port with ssh login attempts until you get something
appropriate in
response and then beat THAT port like a baby seal.
You would try 22 *first*, but there's nothing particularly hard about
checking other ports. Tedious, but not hard.
And the likelihood of any of the numerous automated attacks checking
for ssh anywhere BUT 22?
Zero.
Targeted attacks are different.
And almost none of these attacks will ever be targeted against a
host. They'll just be one of thousands of automated attacks against
IP ranges.
I agree that a "smart" attacker dedicated to a host could and would
do all sorts of things. But we are rarely dealing with those for
automated attacks.
Not that I disagree with your point: if the only mechanism of
securing ssh is moving it to another port, that's stupid. In fact, it
may even be foolish or counterproductive, in the respect that it can
break standard tools and functions that expect ssh to be on 22; ssh
security is better managed by proper host-based and nework-level
firewall controls, proper account management, and wise management of
the ssh service itself.
I'm just saying that pretty much every attack we're talking about
against ssh in a practical sense are automated scripts and bots, and
nearly all, if not all, of those - and hence, nearly all, if not all
such attacks - will be fooled by ssh not being on 22.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
