On 2013-11-03 09:47, FRIGN wrote: > How effective is it to actually bind sshd to another port (like 1337 for > instance)? > Is that a sane defense against those attacks or have the > attackers advanced in the last few years to to a broader portscan?
In my experience, it cuts it down quite significantly (but not totally). If you do this, you should make sure that you run on a port <1024, though, otherwise someone could find some way to make your daemon crash and masquerade as it (which is still protected a little assuming that your SSH host key is not readable to them, but still). I just run on port 22, though. If you run sshguard/fail2ban and monitor your SSH logs, your log noise should decrease dramatically, even on port 22. That said, there are better ways to do this than "read the log files and ban", although that is good enough for me (I only allow login to my user, and only via my private key, so if someone was to gain access it would almost certainly be in a way that was not brute force, in which case I'm fucked anyway).
pgpFHN8fYr89p.pgp
Description: PGP signature
