openssh concerns

[Andrew Kuriger]

On Mon, 05 Oct 2009 13:02:46 -0700, Micheas Herman <m at micheas.net> wrote:
> On Mon, 2009-10-05 at 12:46 -0600, Lyndon Nerenberg - VE6BBM/VE7TFX
> wrote:
>> > Granted, if somebody is not specifically targeting you and is just
>> > scanning
>> > ranges to find sshd on 22 they will pass you right up since that port
>> > will
>> > be closed.
>> 
>> The port change was intended only to avoid the port scanners.
> 
> 
>         And when you get notices in your logs, you can respond, as you
>         know you are being targeted and can take appropriate responses.
>         
>         The biggest reason I can see for running ssh on an non-standard
>         port is increasing the signal to noise ratio in the logs.
>         
>         If you can investigate every failed ssh login, you should be
>         safer than if you ignore 40,000 failed logins a day.
>         
>         Just my experience, but of course being able to effortlessly
>         investigate 40,000 failed logins would probably be a better
>         situation.
>         
I agree its not a bad thing to have sshd running on a non-standard port,
but just wait until the bot herder with 10,000 bots under his control finds
out what port your running it under...

If your receiving 40,000 false logins a day, your either targeted, or
extremely popular and probably shouldn't be running sshd that is accessible
via the internet anyways, aside from port knocking/VPN. I don't know about
you, but when I have been attacked its not 100 connections from the same
IP, its thousands randomly throughout the world.

It does however eliminate the background script kiddie noise and sshd
scanners, but once your found out/targeted its all in the air anyways.

-Andrew
-- 
()  ascii ribbon campaign - against html e-mail 
/\  www.asciiribbon.org   - against proprietary attachments