Whatever. I'm speaking from personal experience that I didn't find this necessary.
On 22 July 2014 08:21, E.S. Rosenberg <esr+linux...@g.jct.ac.il> wrote: > Any decent port scanner (nmap for instance) will find the SSH service > regardless of the port its' on, while the likelihood of a firewall blocking > access to random non-standard ports is very high. > > I use fail2ban to prevent brute forcing and generally also try to have > some form of port knocking (knockd and fwknop are good options) to prevent > initial access to the SSH server to "unidentified" machines. > > > 2014-07-22 1:11 GMT+03:00 Amos Shapira <amos.shap...@gmail.com>: > >> On 22 July 2014 00:52, Guy Gold <guy1g...@gmail.com> wrote: >> >>> Hi Erez, >>> >>> On Mon, Jul 21, 2014 at 4:18 AM, Erez D <erez0...@gmail.com> wrote: >>> >>>> >>>> it is not even a dynamic ip, it is a private ip behind a dynamic one >>>> >>> >>> Then, what Eliyahu wrote should serve you a perfect solution. >>> >>> Also, there's not much advantage in the point of hiding behind the >>> "security by obscurity" method (i.e serve SSH at port 9000. or whichever). >>> >> The increase to security by using that method is in doubt - when >>> taking under consideration tools used by "bad guys (and girls)" nowadays . >>> If you must do it, that's fine, but don't let it be a reason for not >>> using much better methods, as Eliyahu suggested. >>> >> >> From personal experience - there is a huge advantage in picking a random >> port for external SSH (and external HTTP). I always had port scanners on my >> standard, dynamic ISP ADSL addresses until I moved them to different >> non-standard ports. Since then my logs are clean, and I'm talking about >> over 5 years of experience (I don't remember exactly when I did the switch). >> >> This is of course not the only measure I take for security. I still treat >> them as vulnerable etc. But after years of not having a single probe on the >> new ports I have to say that it removed the threat of pretty much 100% of >> the probes on my home network. >> >> Perhaps they are more thorough on static ip addresses, known targets >> etc., but in my experience this is a very successful step. >> >> >>> >>> >>> -- >>> Guy Gold >>> >>> _______________________________________________ >>> Linux-il mailing list >>> Linux-il@cs.huji.ac.il >>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >>> >>> >> >> >> -- >> [image: View my profile on LinkedIn] >> <http://www.linkedin.com/in/gliderflyer> >> >> _______________________________________________ >> Linux-il mailing list >> Linux-il@cs.huji.ac.il >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >> >> > -- [image: View my profile on LinkedIn] <http://www.linkedin.com/in/gliderflyer>
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
