Oddball SSH port

[David A. Bandel]

On Nov 14, 2007 10:10 AM, mailbox at hipp.com <michael at hipp.com> wrote:
> >----Original Message----
> >From: mcarpenter at intelguardians.com
> >On Tuesday 30 October 2007, Michael Hipp wrote:
> >> Just wondering if any part of the port numbering space is less of a
> >> target than another. Or if there are technical issues I'm not aware
> of.
> >
> >If your goal is to limit the autorooters (scripts which exploit SSH
> vulns)
> >then you're fine.  If you truly are interested in slowing down the
> badguys,
> >guess again.  Simply nudging SSH (using nmap -A for example) gives up
> the
> >goods too easily...  Full nmap scans, like those of a dangerous
> attacker,
> >will turn up the port as open, and SSH gives itself away.
>
> That's about all I'm trying to do.
>
> Some of my systems are continually logging dictionary attacks against
> accounts like 'tom' and 'mary'. And if there was anyone with any brains
> behind the attempts they'd notice that such is pointless without the
> right public key.
>
> Anyway, I think obfuscating the ssh port will blunt most of these
> wannabe crackers.
>
> But if you have any other measures to protect ssh I would certainly
> like to hear.
>
Yeah, the SSH attacks are annoying and use a _lot_ of bandwidth.  I
logged 27,000+ attacks during a 24 hour period against my network.

I use iptables and permit ranges of IPs where I might come in from and
DROP all other IPs.  I have only one system open to the world but you
can only enter with a key.  Doesn't slow the down.  I've often
considered putting a tar baby on a couple of IPs.

Ciao,

David A. Bandel
-- 
Focus on the dream, not the competition.
            - Nemesis Air Racing Team motto