Tom Bamford wrote: > I don't bother changing the server port for sshd, it's security > through obscurity.
There's nothing wrong with using obscurity to achieve enhanced defence in depth; running ssh on a non-standard port raises the bar enough to thwart most automated, background noise brute-force attacks. Sure, if somebody is determined to attack you specifically, they'll find the non-standard SSH port eventually, but if you're worried about targeted exploitation attempts on your machines then you'll make sure you're also running firewalls, tcp wrappers and AllowUsers/AllowGroups. > there's no way they'll get in unless you have a seriously crap > password. That's a great strategy until the next time we see something like these: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0695 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0693 and the masses start writing scripts to find boxes running vulnerable SSH daemons. Guess which port they'll try to connect to? Cheers, Steve -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
