although port scanners can scan every port, it takes x 65536 times more than scanning only port 22 and there are enough available port 22s,
so using a non-standard port is a smart move as long as it is not the only one. On Tue, Jul 22, 2014 at 3:07 AM, Amos Shapira <amos.shap...@gmail.com> wrote: > Whatever. > > I'm speaking from personal experience that I didn't find this necessary. > > > > On 22 July 2014 08:21, E.S. Rosenberg <esr+linux...@g.jct.ac.il> wrote: > >> Any decent port scanner (nmap for instance) will find the SSH service >> regardless of the port its' on, while the likelihood of a firewall blocking >> access to random non-standard ports is very high. >> >> I use fail2ban to prevent brute forcing and generally also try to have >> some form of port knocking (knockd and fwknop are good options) to prevent >> initial access to the SSH server to "unidentified" machines. >> >> >> 2014-07-22 1:11 GMT+03:00 Amos Shapira <amos.shap...@gmail.com>: >> >>> On 22 July 2014 00:52, Guy Gold <guy1g...@gmail.com> wrote: >>> >>>> Hi Erez, >>>> >>>> On Mon, Jul 21, 2014 at 4:18 AM, Erez D <erez0...@gmail.com> wrote: >>>> >>>>> >>>>> it is not even a dynamic ip, it is a private ip behind a dynamic one >>>>> >>>> >>>> Then, what Eliyahu wrote should serve you a perfect solution. >>>> >>>> Also, there's not much advantage in the point of hiding behind the >>>> "security by obscurity" method (i.e serve SSH at port 9000. or whichever). >>>> >>> The increase to security by using that method is in doubt - when >>>> taking under consideration tools used by "bad guys (and girls)" nowadays . >>>> If you must do it, that's fine, but don't let it be a reason for not >>>> using much better methods, as Eliyahu suggested. >>>> >>> >>> From personal experience - there is a huge advantage in picking a random >>> port for external SSH (and external HTTP). I always had port scanners on my >>> standard, dynamic ISP ADSL addresses until I moved them to different >>> non-standard ports. Since then my logs are clean, and I'm talking about >>> over 5 years of experience (I don't remember exactly when I did the switch). >>> >>> This is of course not the only measure I take for security. I still >>> treat them as vulnerable etc. But after years of not having a single probe >>> on the new ports I have to say that it removed the threat of pretty much >>> 100% of the probes on my home network. >>> >>> Perhaps they are more thorough on static ip addresses, known targets >>> etc., but in my experience this is a very successful step. >>> >>> >>>> >>>> >>>> -- >>>> Guy Gold >>>> >>>> _______________________________________________ >>>> Linux-il mailing list >>>> Linux-il@cs.huji.ac.il >>>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >>>> >>>> >>> >>> >>> -- >>> [image: View my profile on LinkedIn] >>> <http://www.linkedin.com/in/gliderflyer> >>> >>> _______________________________________________ >>> Linux-il mailing list >>> Linux-il@cs.huji.ac.il >>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >>> >>> >> > > > -- > [image: View my profile on LinkedIn] > <http://www.linkedin.com/in/gliderflyer> > > _______________________________________________ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > >
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
