[clug] [OT] IP range of a domain?

Robert Brockway robert at timetraveller.org
Thu Jan 21 07:16:45 MST 2010

On Thu, 21 Jan 2010, miloska at gmail.com wrote:

> Additionally you can change the default portnumber from 22 to
> something else, so automated robots won't find/try your ssh.

I'm not a fan of changing port numbers.  It has two main problems:

* A legitimate client doesn't know the port ahead of time and either needs 
to be told or scan for it to find it.

* Access may be limited as intervening firewalls may block the 
non-standard port.  It is common for corporate firewalls to limit outbound 
connections to a limited set of destination ports.

If I don't want people to connect to the port then I'd rather block it at 
the firewall and be done with it.

> Also you can implement port-knocking (I think iptables itself can be
> set up for that) to reduce the chance of any unnecessary connection to

Yes port-knocking is a great option.  I'm glad you brought it up as I 
forgot to mention it in my original post.

> your SSH services. Speaking of iptables I think fail2ban (or something
> similar, like limit the number of new connection from an IP to your
> SSH port) can be also implemented with iptables.

Exactly.  One problem I've found with fail2ban is that (by default at 
least) it is looking in the logs for failed password attempts and so isn't 
useful if you are only using key auth.

> I know all these solutions seems a bit amateur, but the combination of
> some of them (I do recommend at least the key-only auth from Rob's
> list on the first place) is a good enough protection for an average
> server - and I guess we are not talking about a banking system.

Use of a firewall to block access and use of key auth for ssh will get you 
to a high level of security.   A higher level of security could be 
obtained through the use of a DMZ and IDS/IPS tools.   All that is still 
possible in the home if you want to go to the extra effort.

One other point I wanted to tack on this email.  A lot of people using 
Linux in homes and small businesses focus on securing ssh since it will 
open a shell on their system if the attacker can get through.  This 
appears to make it an obvious threat, but it is quite easily secured using 
some of the methods we've mentioned here.

It's worth noting that the risk behind most exploits is that there is an 
opportunity to run arbitrary code.  Guess what arbitrary code most bad 
guys run - a shell.  OpenSSH is arguably the most highly audited piece of 
code on a typical Linux box (having come from OpenBSD).  Thus sometimes I 
feel that the threat from OpenSSH gets more attention than it should when 
many other apps may represent a far greater threat to the system.



Email: robert at timetraveller.org
IRC: Solver
Web: http://www.practicalsysadmin.com
I tried to change the world but they had a no-return policy

More information about the linux mailing list