1 июля 2015 г. 9:51:49 CEST, benta...@chez.com пишет: >Hi, >I've been using sshl to multiplex openvpn, https and ssh on port 443 to >be able to go through anything and before that I was using tcpproxy for >the same reason. >I'm pretty impressed by sshl and I hope to use it when I replace the >linux all-in-one box by an refurbished Ultra 20/hipster. > >To be honest, for a very long time I had port 22 opened as well for ssh >the time to trust sshl and the difference is quite noticeable, security >wise. >On the other hand, if you don't allow root login, have good passwords >for users and root and log rotation correctly set, port 22 or not is >just a convenience question but I'm not a security guy, really. > >Ben. > >----- Mail original ----- >De: "Jim Klimov" <jimkli...@cos.ru> >À: "Discussion list for OpenIndiana" ><openindiana-discuss@openindiana.org>, "Till Wegmüller" ><toaster...@gmail.com> >Envoyé: Lundi 29 Juin 2015 21:02:44 >Objet: Re: [OpenIndiana-discuss] Who is trying to break in ? > >29 июня 2015 г. 9:37:26 CEST, "Till Wegmüller" <toaster...@gmail.com> >пишет: >>Brogyányi József schrieb am Sunday 28 June 2015 11.01:55: >> >>> /The last was strange a little bit because he wanted to switch of >the >> >>> server. I think you have to change the 21 and 22 communication port. >>> I use the 443 port for ssh. I can reach the server easily from >>anywhere >>> because every company left it open that port. >> >>I Advise Strongly against using a different port for SSH. Especially a >>port like 443 which by default is used by apache and other webservers. >>Some Webservers might refuse to launch depending on their >>configuration. >> >>> I've noticed some text output before shutting down the system. >>> It seems someone ( or bots ) are constantly trying to log in as >root. >> >>Yea there are some Chinese Bot nets that scan for open SSH Ports and >>try to log in with root. I have them on every SSH capable server which >>is Internet reachable. They don't only scan 22 but also 666 or 1337. >>But they only make tries with weak default passwords like 12345. >> >>If you want to block them I suggest the Tool fail2ban. I use it on my >>Linux boxes and it works like a charm. There also seems to be a Port >>for snv_134 https://github.com/jamesstout/fail2ban-0.8.4-OpenSolaris >>but I haven't tested that. >> >>Greetings Till >> >>_______________________________________________ >>openindiana-discuss mailing list >>openindiana-discuss@openindiana.org >>http://openindiana.org/mailman/listinfo/openindiana-discuss > >Got no qualms about ssh (or openvpn) on port 443 - indeed, if one sets >up something non-standard, gotta be ready for the consequences. And to >all ids'es and sniffers, cryptotraffic looks much the same (different >dynamic flow patterns may be discerned by the smarter filters out there >though). > >As was said earlier, many networks (especially free wifi, and some >cellulars) only allow http(s) outwards, so there's not much choice for >road-workers. > >Also, there are server-side projects to colocate frontends for https >and ssh or openvpn on the same socket to veil it even more. > > >-- >Typos courtesy of K-9 Mail on my Samsung Android > >_______________________________________________ >openindiana-discuss mailing list >openindiana-discuss@openindiana.org >http://openindiana.org/mailman/listinfo/openindiana-discuss > >_______________________________________________ >openindiana-discuss mailing list >openindiana-discuss@openindiana.org >http://openindiana.org/mailman/listinfo/openindiana-discuss
You can also boost security with no passwords allowed, keys only for ssh auth ;) -- Typos courtesy of K-9 Mail on my Samsung Android _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
