The most effective thing I've found for preventing SSH attacks is simply to listen on a different port. Yes, it's security by obscurity so you should also deploy other counter measures, but if you choose your non-standard port wisely you can avoid most, if not all, casual attacks. Some tips:
Avoid obvious alternatives like 222 and 2222. Don't use a port that is used for another popular service (80 would be *bad*!) Ideally use a port below 1,024 as these can only be bound to by daemons started as root. So far, I've had exactly *one* kiddie stumble across my home server's SSH port on a scan in several years, and that was only because they did a brute force scan of every port below 1024 and a large number of selected high ports. All to no avail as my IDS had already detected the scan and denied the IP long before they reached any open ports. -- Andy The only person to have all his work done by Friday was Robinson Crusoe -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
